Glossary

Physical isolation: no network connection between a system and the rest of infrastructure.

An air gap is the physical isolation of a system: no network connection to other infrastructure. Data exchange via controlled removable media with integrity control. Used for critical assets: industrial systems (OT), ransomware-protected backups, state secrets. Limits: Stuxnet (2010) crossed an air gap via infected USB, and side-channel attacks exist in laboratory.

See also: backup , ransomware

On-demand web archiving service with permanent snapshots.

archive.today (formerly archive.is) is an on-demand web archiving service: anyone can submit a URL and get a permanent, immutable snapshot. No official removal mechanism. Used by journalists, researchers, and some malicious actors to preserve evidence. The immutable nature makes right-to-be-forgotten requests ineffective.

See also: wayback , OSINT

Data copy kept separately for restoration in case of loss or compromise.

A backup is a data copy kept separately for restoration after loss (hardware) or compromise (ransomware). 3-2-1 rule: 3 copies, on 2 different media, 1 offsite. Modern ransomware practice: add 'I' for immutable (S3 Object Lock, air-gap). Backups only work if tested: 70% of organizations discover their backups are incomplete or compromised after a ransomware incident.

See also: ransomware , air-gap

Microsoft disk encryption integrated into Windows Pro/Enterprise.

BitLocker is Windows disk encryption (Pro, Enterprise, Education since Vista). Uses AES-128 or AES-256 XTS. Relies on TPM for transparent boot unlock. Default without PIN: vulnerable to DMA attack if stolen running or sleeping. Enable pre-boot PIN for sensitive devices.

See also: tpm , luks , filevault

• → Disk encryption, really?

Search of electronic devices at borders by customs or police.

Border search of electronic devices is legal in many jurisdictions (US via CBP, UK Border Force, France, Canada CBSA). Powers vary: in the US, border is a 4th Amendment exception allowing warrantless searches. Preparation for exposed profiles: travel-dedicated devices with minimized data, cloud accounts without local cache, passwords not memorized at crossing time.

See also: compelled-disclosure

• → Borders and customs

Prepaid disposable phone used for a specific purpose then abandoned.

A burner phone is a prepaid phone (often basic feature phone) bought in cash with a prepaid SIM, used for one purpose (a risky trip, a sensitive operation) then abandoned. Common in investigative journalism, diplomacy, sensitive corporate ops. Limit: carrying the burner with your main phone on allows immediate correlation for actors with carrier log access.

See also: imei , esim

Intermediary between users and cloud apps enforcing security policies.

A CASB (proxy or API) sits between users and cloud applications enforcing policies: enhanced authentication, DLP, anomaly detection, token encryption. Actors: Netskope, Microsoft Defender for Cloud Apps, Zscaler. Useful with massive shadow IT adoption. Limits: proxy = full coverage but latency; API = partial coverage.

See also: dlp , ztna

Scam where an attacker impersonates an executive to order an urgent wire transfer.

CEO fraud (Business Email Compromise, BEC) has the attacker impersonating an executive or trusted partner ordering an urgent wire transfer to a finance employee. Vectors: internal mail account compromise, typosquatting impersonation, voice/video deepfake. Annual global losses: several billion USD (FBI IC3). Defense: systematic out-of-band validation protocol for any transfer above a threshold, regardless of claimed urgency.

See also: social-engineering , deepfake

Separating identities by usage (civil, public pro, sensitive pro, operational).

Identity compartmentation separates identities by usage: civil (bank, tax, building manager), public pro (LinkedIn, media), sensitive pro (M&A, litigation), operational (third-party services, subscriptions). A leak on operational identity does not contaminate sensitive identity. Structuring principle for the assumed-leaked state.

See also: simplelogin , threat-model

• → Identity compartmentation

Legal obligation to provide passwords or decrypt devices under penalty.

Compelled disclosure is a legal obligation in certain jurisdictions to provide passwords or decrypt devices under penalty. UK RIPA s49: up to 2 years prison. France: Penal Code art. 434-15-2. US: Fifth Amendment partial protection varying by jurisdiction. Preparation: architectures making disclosure impossible (keys stored out-of-jurisdiction, cryptographic deniability).

See also: border-search

HTTP header defining authorized content sources on a web page.

CSP is an HTTP header defining authorized sources for each content type (scripts, styles, images, iframes). Hardens pages against XSS attacks and content injection. Fine directives: script-src, style-src, img-src, etc. Audit: observatory.mozilla.org.

See also: xss , https , hsts

Standardized identifier for public vulnerabilities, format CVE-YYYY-NNNNN.

The CVE is a standardized identifier for public security vulnerabilities, managed by MITRE and CISA. Each entry references the vulnerability, affected products, CVSS score, fixes. Primary source for vulnerability watch, to couple with vendor advisories.

See also: cvss , rce

• → MITRE CVE

Vulnerability rating system on a 0-10 scale.

CVSS assigns each CVE a severity score on a 0-10 scale. Current version: 4.0 (2023), with Base, Threat, and Environmental components. Categories: None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0). Base score alone is insufficient for prioritization: account for context (exposure, asset criticality, exploitation state).

See also: CVE , rce

Company collecting, aggregating, and reselling personal data at scale.

A data broker's business model relies on collecting, aggregating, and reselling personal data. Major actors: Acxiom (LiveRamp), Experian, LexisNexis Risk Solutions, Oracle Data Cloud, Epsilon. They maintain profiles on billions of people with up to 1,500+ attributes. Sources: loyalty cards, web forms, mobile apps, opaque partnerships. GDPR imposes rights, but exercising them in cascade is practically impossible.

See also: GDPR , OSINT , leak-database

• → Data brokers: the leak you pay for

AI-generated synthetic media (image, video, voice) imitating a real person.

A deepfake is AI-generated synthetic media imitating a real person convincingly. Technologies: GANs, diffusion models, voice cloning (ElevenLabs, Resemble). Offensive uses: CEO fraud via cloned voice (Hong Kong 2024, $25M), disinformation, synthetic kompromat. Technical detection increasingly difficult. Organizational defense: out-of-band validation protocol for unusual requests, targeted awareness.

See also: fraude-au-president , social-engineering

Solution detecting and blocking sensitive data leaks (emails, files, clipboard).

DLP detects and blocks sensitive data leaks (PII, secrets, classified documents) out of a defined perimeter. Implementations: endpoint DLP, network DLP, cloud DLP (CASB). Actors: Microsoft Purview, Symantec, Forcepoint, Netskope. Often perceived as legal coverage more than operational protection.

See also: casb , ztna

System resolving domain names to IP addresses. Vastly underestimated surveillance vector.

DNS translates domain names to IP addresses. By default, your requests pass cleartext through your ISP, which sees every site you visit. Main vector of state and commercial surveillance, censorship, and manipulation. Hardening via DoH or DoT radically changes transit confidentiality. Often neglected even by mature organizations.

See also: doh , dot

• → DNS: the link no one hardens

Protocol encrypting DNS requests inside HTTPS, hiding them from the ISP.

DoH (RFC 8484) encrypts DNS requests inside standard HTTPS traffic, hiding them from ISP and network observers. Implemented natively in Firefox, Chrome, Safari, Windows 11. Trade-off: shifts trust from ISP to the DoH resolver (Cloudflare, Google, NextDNS, Mullvad, Quad9). Resolver choice matters.

See also: dns , dot

DoH variant using direct TLS on port 853.

DoT (RFC 7858) encrypts DNS requests via TLS on port 853. Less stealthy than DoH (port 853 is identifiable), but simpler to manage in enterprise environments. Natively supported by Android 9+ and iOS 14+.

See also: dns , doh

End-to-end encryption: only sender and recipient can read content.

E2EE guarantees only sender and recipient can decrypt content. Applications: Signal (reference), WhatsApp, iMessage (Apple-to-Apple), Threema, Wire. Distinct from transit encryption (HTTPS). Limit: E2EE protects content, not metadata (who talks to whom, when).

See also: signal , pgp , metadata

Agent on workstations/servers detecting suspicious behavior and enabling response.

An EDR collects endpoint telemetry (processes, files, registry, network) and detects suspicious behavior via rules, signatures, ML. Also enables response (isolate machine, kill process, forensics). Major actors: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint. Near-prerequisite for enterprise. Limit: does not stop upstream social engineering.

See also: xdr , siem , mdr

EU cybersecurity agency, publishes the annual Threat Landscape.

ENISA is the EU cybersecurity agency. Its most useful publication: the annual Threat Landscape synthesizing dominant attack vectors, actors, and targeted sectors. Reference reading for strategic intelligence framing.

See also: NIST , nis-2

• → ENISA Threat Landscape

Integrated reprogrammable SIM card supporting multiple carrier profiles.

An eSIM is a chip integrated into the device, remotely programmable via QR code or carrier app. Can host multiple profiles (main carrier + travel data). Advantages: carrier change without physical manipulation, travel data profiles (Airalo, Holafly). Operational profile: travel data eSIM + fixed physical SIM in parallel.

See also: sim-swap

• → Travel eSIM

Metadata attached to images: date, GPS, device model, capture settings.

EXIF metadata is attached to JPEG/TIFF/HEIC images: capture date, GPS coordinates, device model, capture settings. Classic leak source via social networks (some platforms strip, others don't). Strip before any sensitive sharing: exiftool, mat2, or native OS tools.

See also: metadata , OSINT

Strong authentication standard using hardware cryptographic keys, phishing-resistant.

FIDO2 combines WebAuthn (browser API) and CTAP2 (authenticator protocol). The private key never leaves the device. Phishing-resistant by design: the key verifies the site origin before signing. If you are on a fraudulent domain, the key refuses. Today the only truly robust MFA factor against modern attacks.

See also: WebAuthn , MFA , yubikey , passkey

• → YubiKey and FIDO2 keys

Disk encryption integrated into macOS since OS X Lion.

FileVault 2 is macOS disk encryption since Lion (2011). AES-XTS 128. On recent Macs (M1+), encryption is practically always active via Secure Enclave. FileVault adds user password protection. Non-negotiable on any work Mac.

See also: tpm , bitlocker , luks

Identifying a device by unique browser and system characteristics.

Browser fingerprinting identifies a device by the unique combination of its browser and system: user-agent, fonts, screen resolution, timezone, plugins, canvas rendering, WebGL, AudioContext. 20-30 attributes form a near-unique fingerprint. Allows cross-session tracking without cookies. Tools: amiunique.org, coveryourtracks.eff.org. Defense: Tor Browser, Firefox with resistFingerprinting.

See also: tor , metadata

Discipline analyzing digital traces after an incident to reconstruct what happened.

Digital forensics analyzes traces (disks, memory, logs, network) after a security incident to reconstruct the timeline, identify actors, and preserve evidence for judicial use. Actors: Mandiant, CrowdStrike Services, Kroll, NCC Group. Preparing a forensics partner contact before an incident radically changes response speed.

See also: incident-response

EU Regulation 2016/679 on personal data protection, in force since May 2018.

The GDPR (EU 2016/679) is the unified European framework on personal data protection. It imposes lawfulness, minimization, limited retention, and individual rights (access, rectification, erasure, portability, objection). Penalties up to 4% of global revenue. In practice: excellent legal framework but does not protect against already-constituted leaks and does not apply to non-EU actors who ignore requests.

See also: data-broker , right-to-be-forgotten

Free public service by Troy Hunt indexing emails in public breaches.

Have I Been Pwned (haveibeenpwned.com) is a free service indexing emails appearing in public breaches. For a given email, returns the list of breaches where it appears. Indexes ~13 billion accounts across hundreds of breaches. The tip of the public iceberg: only contains what has been disclosed. Use systematically in personal exposure audits.

See also: leak-database , OSINT

• → Have I Been Pwned

HTTP header forcing HTTPS for future domain visits.

HSTS (RFC 6797) informs the browser the domain must be accessed only via HTTPS for a defined duration. Prevents downgrade attacks and first-hop MITM. The preload option removes the first vulnerable visit entirely. For sensitive domains, HSTS + preload is non-negotiable.

See also: https , mitm , tls

Secure HTTP encrypting browser-server communication via TLS.

HTTPS encapsulates web traffic in a TLS session. Guarantees: content confidentiality, integrity, server authentication. De facto standard since 2016-2018. Enforce via HSTS. For shield.travel: HTTPS + HSTS + preload + strict CSP + Referrer-Policy.

See also: tls , hsts , csp

Centralized management of identities and access to resources.

IAM covers centralized management of identities (users, services, machines) and their resource access. Components: directory (AD, Entra ID), SSO, MFA, provisioning/deprovisioning, lifecycle management. A mature IAM divides exploitable attack vectors by 5 to 10.

See also: sso , pam , MFA

Unique 15-digit hardware identifier of a mobile terminal.

The IMEI is the unique 15-digit hardware identifier of a mobile terminal. Independent of SIM. Visible via *#06#. For tracking, IMEI is more persistent than phone number: changing SIM in the same phone does not change IMEI. For a high-risk trip: burner phone = new IMEI + number pair.

See also: burner-phone , imsi-catcher

Fake mobile base station forcing nearby phones to connect to intercept communications.

An IMSI catcher (Stingray, Hailstorm) impersonates a legitimate cell tower, forcing nearby phones to connect. Allows interception of communications, device identification (IMSI), sometimes SMS injection. Used by law enforcement, intelligence services, and sophisticated criminal actors. Detection difficult. Defense: limit phone use in at-risk zones.

See also: imei , esim

Structured process for managing a security incident: detection, containment, eradication, recovery.

Incident response is the structured process for managing a security incident. Phases (NIST SP 800-61): preparation, detection, analysis, containment, eradication, recovery, post-incident lessons. Essential: pre-written playbooks, identified team, forensics partners, prepared crisis communication. The first 90 minutes determine the entire incident trajectory.

See also: forensics , soc , ransomware

• → Field incident response: the first 90 minutes

International standard for information security management systems.

ISO/IEC 27001 specifies requirements for an ISMS. Covers governance, risk analysis, risk treatment, effectiveness measurement. Widespread for B2B vendor certifications. Certification attests compliance with processes, not actual operational security level.

See also: NIST , soc-2

Service indexing data from public or semi-public breaches.

A leak database indexes data from publicly or semi-publicly disclosed breaches. Consumer versions: Have I Been Pwned (free). Professional versions: DeHashed, Intelligence X, Snusbase, Constella Intelligence (paid, providing cleartext passwords and complete data). Useful offensively and defensively.

See also: hibp , OSINT , data-broker

Free automated certificate authority operated by ISRG.

Let's Encrypt is a free, automated, open CA operated by ISRG. Issues DV certificates via ACME protocol, automatable via certbot or Caddy. Democratized HTTPS since 2016 (from ~40% to >90% of the web by 2024). Certificates valid 90 days with automatic renewal.

See also: pki , tls

• → Let's Encrypt

Disk encryption standard on Linux, via cryptsetup and dm-crypt.

LUKS is the Linux disk encryption standard via cryptsetup and dm-crypt. LUKS2 (since 2018): JSON format, Argon2 support, secure key wiping. Combined with TPM, allows auto-unlock at boot. Essential on any mobile Linux device.

See also: tpm , bitlocker

Data about data: who wrote what, when, where, to whom.

Metadata is data about data: author, creation date, modifications, geolocation (images), recipients (mails), duration and timing (calls). Often more revealing than content. An image with EXIF reveals where and when it was taken. An Office file contains author history. Always strip metadata before publishing: exiftool, mat2.

See also: exif , OSINT

Multi-factor authentication: combining two independent proofs of identity to log in.

MFA (Multi-Factor Authentication) refers to authentication combining at least two independent factors: what you know (password), what you have (phone, FIDO2 key), what you are (fingerprint, face). Implementations differ radically in robustness: SMS remains vulnerable to SIM swap, TOTP is sensitive to real-time phishing, hardware FIDO2 resists most known attacks.

See also: TOTP , FIDO2 , WebAuthn , sim-swap

• → MFA: why your Google Authenticator app betrays you

Attack where an actor interposes between two parties believing they're communicating directly.

A MITM attack places an actor between two communicating parties who can read or modify traffic. Classic vectors: open public Wi-Fi, ARP spoofing on LAN, BGP hijacking, IMSI catcher on mobile. Defense: authenticated TLS (certificate verification). TLS protects content, not metadata or connection existence.

See also: tls , wifi-public , imsi-catcher

EU Directive (2022/2555) extending cybersecurity obligations to essential and important entities.

NIS 2 (EU 2022/2555) extends and tightens the 2016 NIS framework with broader sectoral coverage: energy, transport, banking, healthcare, water, digital, public administration, manufacturing, food. Transposition expected October 2024. Many organizations underestimate their scope entry.

See also: enisa , ANSSI

US institute publishing reference cybersecurity standards (CSF, SP 800-*).

NIST publishes reference technical cybersecurity standards: Cybersecurity Framework (CSF), SP 800 series (SP 800-53 controls, SP 800-63 authentication, SP 800-207 zero trust). Primary sources most international frameworks rely on.

See also: iso-27001 , zero-trust

• → NIST Cybersecurity Framework

Intelligence from open (public) sources: social media, registries, archives.

OSINT refers to collection and analysis of intelligence from open sources: websites, social media, public registries, archives, public leaks, image metadata. Used offensively (attack reconnaissance, kompromat) and defensively (exposure audit, mapping what is known about you). Main tools: Maltego, Spiderfoot, Bellingcat Toolkit, Sherlock, theHarvester.

See also: leak-database , data-broker , threat-model

• → Defensive OSINT

Foundation publishing reference application security resources (Top 10, ASVS).

OWASP publishes reference resources on application security: Top 10 (web and API vulnerabilities), ASVS, MASVS, Cheat Sheet Series. Primary source for structuring an AppSec program.

See also: xss , ssrf

• → OWASP

Enhanced management of privileged accesses (admin, root, service accounts).

PAM covers enhanced privileged access management: admin accounts, root, service accounts, application secrets. Typical practices: secret vault, automatic rotation, session recording, just-in-time access, enhanced MFA. Actors: CyberArk, BeyondTrust, Delinea, HashiCorp Vault. Neutralizes the most profitable attack vector.

See also: iam , secret-management

Consumer FIDO2 implementation: auth key stored and synced by Apple/Google/Microsoft.

Passkey is the marketing name for Apple, Google and Microsoft's synchronized FIDO2/WebAuthn implementation. Private key stored in the device's secure enclave, synced via iCloud Keychain, Google Password Manager, or Microsoft Account. Excellent security/UX trade-off for general public, but introduces cloud account dependency. For exposed profiles, prefer non-synced hardware FIDO2.

See also: FIDO2 , WebAuthn , MFA

Application storing and generating unique passwords for each service.

A password manager stores all passwords in an encrypted vault and generates unique ones per service. Conditions: strong master password, hardware MFA on account, backups, thought-out recovery policy. Actors: 1Password, Bitwarden (open-source), Proton Pass, Dashlane, KeePassXC (offline). Essential, no condition.

See also: MFA , FIDO2

End-to-end encryption and signature system, created by Phil Zimmermann in 1991.

PGP (1991) is an asymmetric encryption system for encrypting and signing messages and files. Free implementation: GnuPG (GPG). Significant UX limitation: key management, web of trust. For most uses, Signal replaces PGP. PGP remains relevant for long-term encrypted file and mail archiving.

See also: e2ee , signal

Social engineering attack pushing targets to disclose credentials or execute code.

Phishing pushes the target to disclose credentials or execute malicious code via a fraudulent message imitating a legitimate source. Variants: spear phishing (targeted), whaling (executives), smishing (SMS), vishing (voice). Dominant enterprise compromise vector. Effective defense: FIDO2 + targeted awareness + out-of-band validation.

See also: spear-phishing , FIDO2 , social-engineering

System managing certificates and public keys to authenticate identities.

A PKI manages X.509 certificates and public keys to authenticate identities. Components: root CA, intermediate CAs, certificates, revocation lists (CRL) or OCSP. Underpins HTTPS, S/MIME, code signing. Compromise of a CA (DigiNotar 2011) is catastrophic for the entire ecosystem.

See also: tls , https

Swiss privacy-focused suite (Mail, VPN, Drive, Pass, Calendar) with open-source model.

Proton AG (Switzerland) offers a privacy-first suite: Proton Mail (E2EE), Proton VPN, Proton Drive, Proton Pass, Proton Calendar. Open-source clients, Swiss jurisdiction, regular external audits. European reference for privacy-conscious users. Limits: Swiss jurisdiction has legal obligations (cf. Climaaktivist 2021).

See also: simplelogin , vpn , password-manager

• → Proton

Open or shared Wi-Fi (hotel, cafe, conference) — specific threat model.

A public Wi-Fi is open, shared, or operated by a third party. Threat model: MITM by network operator, malicious client MITM, fraudulent hotspot (Wi-Fi pineapple). With HTTPS everywhere, impact is reduced today. Still at risk: poorly implemented apps (TLS not verified), malicious captive portals, unencrypted SNI/DNS capture. Reasonable practice: VPN + DoH enabled + captive portals treated with suspicion.

See also: mitm , vpn , doh

• → Public Wi-Fi: reasonable paranoia

Malware encrypting data and demanding ransom, often paired with prior exfiltration.

Ransomware encrypts victim data and demands ransom for the decryption key. Modern groups (LockBit, BlackCat/ALPHV, Cl0p) practice double extortion: exfiltration BEFORE encryption + threat of publication. Dominant entry vector: unpatched known vulnerability or compromised RDP/VPN credentials. Effective response requires tested, offline or immutable backups and a pre-written response plan.

See also: backup , incident-response

Vulnerability allowing a remote attacker to execute arbitrary code on a target.

An RCE vulnerability allows remote execution of arbitrary code on a target. Most critical vulnerability class. Emblematic examples: Log4Shell (CVE-2021-44228), shellshock. CVSS 9.0-10.0. Any RCE on an exposed asset must be patched in hours, not days.

See also: CVE , cvss

GDPR Article 17: right to erasure of personal data under conditions.

Article 17 GDPR allows requesting deletion of personal data under conditions (data no longer necessary, consent withdrawal, objection, unlawful processing). Extensive exceptions: freedom of expression, public interest, legal claims, archives. In practice: EU Google delisting works, active GDPR operator deletion works, the rest works poorly.

See also: GDPR

• → The right to be forgotten

Malware installing deep in the OS to remain invisible and persistent.

A rootkit installs deep in the system (kernel, firmware, hypervisor) to remain invisible to conventional detection. Variants: kernel rootkit, bootkit (UEFI), firmware rootkit. The most sophisticated are state tools. Defense: Secure Boot, TPM attestation, regular integrity verification, hardware reset for critical cases.

See also: secure-boot , tpm

Inventory of software components in an application, their versions and dependencies.

An SBOM is a structured inventory of software components: libraries, transitive dependencies, versions, licenses. Formats: SPDX, CycloneDX. Essential for fast vulnerability response (Log4Shell highlighted this need). Required in some contexts (US Executive Order 14028, upcoming EU CRA). Tools: Syft, Trivy, Dependency-Track.

See also: supply-chain , CVE

Centralized management of secrets (API keys, tokens, passwords) for applications.

Secret management centralizes application secrets in a dedicated vault with rotation, audit, and controlled access. Actors: HashiCorp Vault (reference), AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Doppler. Avoids cleartext secrets in code, unprotected env vars, or versioned config files.

See also: pam

UEFI mechanism cryptographically verifying the boot chain.

Secure Boot is a UEFI firmware mechanism cryptographically verifying component signatures at boot (bootloader, OS kernel, signed drivers). Prevents rootkits injecting before the OS. Required by default on Windows 11, supported by modern Linux. Combined with TPM, provides the basis of integrity attestation.

See also: tpm , rootkit

Platform aggregating security logs, correlating, alerting, enabling investigation.

A SIEM aggregates logs from all organizational sources, correlates via rules or ML, generates alerts, and enables investigation. Actors: Splunk, Microsoft Sentinel, Elastic SIEM, IBM QRadar. Fundamental SOC brick. Operating cost often underestimated: ingestion + storage + tuning + analysis require a dedicated team.

See also: soc , edr , xdr

Open-source messenger with E2EE by default, operated by Signal Foundation.

Signal is an open-source messenger operated by Signal Foundation, with end-to-end encryption by default using the Signal protocol (also used by WhatsApp, Messenger). Reference for secure messaging. Non-commercial (donations). Limits: requires phone number at signup, metadata minimized but existing.

See also: e2ee , pgp

Attack where a fraudster convinces your carrier to port your number to their SIM.

A SIM swap has the attacker social-engineering your carrier's call center to port your mobile number to their SIM. All your SMS, including MFA codes, land with them. Jack Dorsey's Twitter account (2019) started with a SIM swap. Defense: non-SMS MFA on critical accounts, port-out PIN with your carrier, monitoring SIM change notifications.

See also: MFA , TOTP , FIDO2

• → SIM swap: 4 hours to become you

Email alias service hiding your real address, acquired by Proton in 2022.

SimpleLogin (acquired by Proton 2022) creates unique email aliases redirecting to your real address without revealing it. Enables compartmentation of third-party registrations, quick identification of leaking services, and surgical deactivation on compromise. Alternatives: Apple Hide My Email, Firefox Relay, anonaddy.

See also: compartmentation

• → SimpleLogin

Team and platform continuously monitoring an organization's security.

A SOC provides continuous (24/7 or not) security monitoring. Three functions: detect (via SIEM/EDR/XDR), triage alerts, respond (containment, eradication). Annual cost for an internal 24/7 SOC: €1-3M minimum. Most sub-1000 employee organizations outsource.

See also: siem , mssp , mdr

Human manipulation to obtain information or actions, bypassing technical defenses.

Social engineering manipulates humans to obtain information, access, or actions. Techniques: authority, urgency, sympathy, reciprocity, conformity, scarcity (Cialdini). Emblematic case: CEO fraud combining OSINT, urgency, authority. Defense: out-of-band validation protocol + targeted awareness + 'I'll call back to confirm' culture.

See also: phishing , spear-phishing , OSINT

Targeted phishing on a specific person, built from their OSINT profile.

Spear phishing builds personalized messages from the target's OSINT (role, ongoing projects, relationships, tone). Much more effective than mass phishing. Privileged attack chain vector toward executives and sensitive functions (legal, finance, M&A).

See also: phishing , OSINT , social-engineering

Mechanism allowing one authentication to access multiple applications.

SSO allows a user to authenticate once with an identity provider (IdP) and access all federated applications. Protocols: SAML 2.0, OAuth 2.0, OIDC. Benefits: fewer passwords, centralized MFA, automatic provisioning. Structural risk: IdP compromise = everything compromised. The IdP admin account must be protected like a state secret.

See also: iam , saml , oidc

Vulnerability forcing the server to make requests to internal targets.

SSRF forces the server to make requests toward internal targets (internal services, cloud metadata, localhost). Consequences: cloud metadata exfiltration (AWS EC2 IAM credentials), pivot to unexposed internal services. Vector in Capital One 2019 breach (100M accounts). OWASP Top 10. Defense: strict URL validation, IMDSv2 on AWS, Kubernetes NetworkPolicy.

See also: owasp

Compromising a target via a vendor or third-party component (software, hardware, service provider).

A supply chain attack compromises a target via a vendor or third-party component: software (SolarWinds 2020, 3CX 2023, XZ Utils 2024), hardware, service provider (compromising an MSP to reach its clients). Fast-growing vector: high efficiency (one vendor compromise = access to hundreds of targets). Defense: SBOM, critical vendor assessment, third-party access segmentation, dependency monitoring.

See also: sbom

Mapping of actors, motivations, capabilities and potential impacts against a target.

A threat model maps actors likely to attack a target, their motivations, capabilities, realistic attack vectors, and feared impacts. Methods: STRIDE, PASTA, LINDDUN, attack trees. Start with: 'who wants what, for what purpose, with what means, and what happens to me if it works?'.

See also: OSINT

Transport encryption protocol, basis of HTTPS and modern web security.

TLS is the transport encryption protocol, successor to SSL. Current versions: TLS 1.2 (RFC 5246) and TLS 1.3 (RFC 8446, 2018). TLS 1.3 simplifies the handshake (1-RTT), removes obsolete algorithms, improves confidentiality. Basis of HTTPS, DoT, SMTP/TLS, and most modern transport security.

See also: https , mitm , pki

Anonymizing network routing traffic through 3 successive relays to hide origin.

Tor routes traffic through 3 successive relays (entry, middle, exit), each knowing only one hop. The destination sees a Tor exit IP, not yours. Combined with Tor Browser, the reference for operational anonymity. Limits: latency, some sites block Tor exit nodes, fingerprinting possible if Tor Browser is modified. For journalists, dissidents, whistleblowers.

See also: vpn , fingerprinting

• → Tor Project

6-digit code generated every 30 seconds by an app (Google Authenticator, Authy, etc.).

TOTP (RFC 6238) is the algorithm behind 6-digit codes in Google Authenticator, Authy, Aegis. The shared secret is exchanged once via QR code. Stronger than SMS (resistant to SIM swap), but vulnerable to real-time phishing: a fraudulent site capturing your password AND TOTP code in under 30 seconds compromises you.

See also: MFA , FIDO2

Cryptographic chip on the motherboard storing keys and attesting boot integrity.

The TPM (ISO/IEC 11889) is a cryptographic chip storing sensitive keys (disk encryption, remote attestation) and attesting boot integrity. Essential for BitLocker (Windows), required by Windows 11. Also used for LUKS auto-unlock on Linux.

See also: bitlocker , secure-boot , luks

Encrypted tunnel between your device and a server, masking your IP and traffic from your ISP.

A VPN creates an encrypted tunnel to a third-party server. Your ISP sees opaque traffic to the VPN server. What it protects: transit confidentiality, IP geolocation. What it does NOT protect: your identity (accounts you open), your exposure, your threat model if the adversary operates destination-side. VPN marketing is massively misleading.

See also: DNS , doh , wireguard

• → VPN: 95% of marketing is false

Web archive by Internet Archive capturing pages since 1996.

The Wayback Machine, operated by Internet Archive, captures web pages since 1996. Stores hundreds of billions of snapshots. Allows consulting historical page states, even if current version was modified or deleted. Structural OSINT source for reconstructing online presence history. Removal requests are possible but slow and at IA's discretion.

See also: archive-today , OSINT

• → Wayback Machine

Browser API enabling FIDO2 authentication on websites.

WebAuthn is the W3C-standardized JavaScript API allowing a website to use a FIDO2 key (hardware or integrated) to authenticate a user. Coupled with CTAP2, it forms the pillar of FIDO2. Widely supported in modern browsers since 2019.

See also: FIDO2 , passkey

Modern, simple, high-performance VPN protocol integrated into the Linux kernel.

WireGuard is a modern VPN protocol created by Jason Donenfeld, integrated into the Linux kernel since 5.6. Minimalist design (~4,000 lines vs ~600k for OpenVPN+OpenSSL), modern cryptography (Curve25519, ChaCha20, Poly1305, BLAKE2s). De facto standard for modern VPN deployments.

See also: vpn

Web vulnerability injecting malicious code executed in another user's browser.

XSS injects malicious JavaScript into a page executed in another user's browser. Variants: stored XSS (persistent in DB), reflected XSS (via URL), DOM-based XSS. Consequences: session cookie theft, defacement, phishing redirect, keylogging. Defense: contextual output encoding, strict CSP, modern frameworks encoding by default.

See also: csp , owasp

Yubico hardware authentication key supporting FIDO2/WebAuthn, OTP, PIV, OpenPGP.

YubiKey is Yubico's hardware authentication key range. Protocols: FIDO2/WebAuthn, FIDO U2F, TOTP/HOTP, PIV smart card, OpenPGP. Formats: USB-A, USB-C, Lightning, NFC. Always buy at least 2 keys (single key loss without backup = lockout). Alternatives: Solokey, Nitrokey, Token2.

See also: FIDO2 , webauthn

• → YubiKey and FIDO2 keys

Principle: never trust by default, verify each request.

Zero Trust means never trusting by default (neither network, nor user, nor device), verifying each request in context (identity, posture, resource sensitivity). Formalized by John Kindervag (Forrester) in 2010, taken up by NIST SP 800-207 (2020). Often degraded into marketing. A real Zero Trust transformation is a multi-quarter project touching identity, network, applications, governance.

See also: ztna , NIST , iam

Access model verifying each request rather than trusting the source network.

ZTNA applies Zero Trust to network access: no implicit trust based on network location, each access verified per request (identity, device posture, context). Actors: Cloudflare Access, Zscaler Private Access, Tailscale, Twingate. Modern alternative to traditional enterprise VPNs. Requires mature identity management.

See also: zero-trust , vpn , casb