Glossary

Any information that is protected against unwarranted disclosures, for reasons either legal, ethical, privacy, financial, or otherwise. This can include, but is not limited to: health data, personal information, confidential data such as trade secrets, etc...

Data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. According to NIST, this represents information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.GDPR refers to this as sensitive personal data that represents a mixture of private opinions and health information that falls into specialized, legally protected categories. Businesses must treat this data with the highest security.

Any unapproved cloud-based account or solution implemented by an employee for business use. It might also include the use of an unknown account with an approved provider, but administered by the user rather than corporate IT.

An unapproved cloud application that is connected in some way (typically by API) to that organization's SaaS or IaaS with access to corporate data but without permission from the organization.

Stale data is data collected that is no longer needed by an organization for daily operations. Sometimes the data collected was never needed at all. Most organizations store a significant amount of stale data, which may include:

‍

• Old employee lists
• Multiple versions of presentation decks
• Outdated personal data
• Old usage data
• Historical behavioral data
• Outdated research data 

‍

Simply creating an updated version of a file and sharing it but not deleting the obsolete versions increases the quantity of stale or inactive data. This type of activity happens many times a day in the typical organization. 

Increasingly, petabytes of data are stored in different public and private cloud platforms and are dispersed around the world. These file shares and document management systems, often poorly secured, present an appealing target for cyber attackers. If organizations store a significant amount of unstructured data, they are unlikely to have visibility into their data surface footprint, and even less likely to be protecting it adequately. Stale and unstructured data may be:

• Easily accessible
• Poorly secured
• Unmonitored for data access 

Stale data is also not relevant to daily operations and therefore can impede a business’s ability to make good business decisions based on current market conditions. A study by Dimensional Research showed that “82 percent of companies are making decisions based on stale information” and “85 percent state this stale data is leading to incorrect decisions and lost revenue.” 

The shift to the cloud creates several challenges. Many organizations do not know what data it has, where it is located (on premises, in public or private cloud environments, or a mix of these), why it is being stored, and how the data is protected. 

Although big data and data analysis can provide actionable insights and improve automation capabilities, much of the data organizations collect, process, and store is unorganized and unstructured. Unfortunately, stale or inactive data can increase storage costs and security risks alike, without providing any business benefit at all. To reduce risks, organizations must identify stale data and then decide whether to move the data (storing it more securely), archive the data, or delete it. Organizations must also establish a consistent policy to identify and manage stale data on an ongoing basis. 

‍

Data in a standardized format, with a well-defined structure that is easily readable by humans and programs. Most structured data is typically stored in a database. Though structured data only comprises 20 percent of data stored worldwide, its ease of accessibility and accuracy of outcomes makes it the foundation of current big data research and applications.

Tokenization entails the substitution of sensitive data with a non-sensitive equivalent, known as a token. This token then maps back to the original sensitive data through a tokenization system that makes tokens practically impossible to reverse without them. Many such systems leverage random numbers to produce secure tokens. Tokenization is often used to secure financial records, bank accounts, medical records and many other forms of personally identifiable information (PII).

Unmanaged data stores are deployments that must be completely supported by development or infrastructure teams, without the assistance of the cloud service provider. This additonal logistical burden may be undertaken by teams aiming to comply with data sovereignty requirements, abide by private network or firewall requirements for security purposes, or resource requirements beyond the provider's (database as a service) DBaaS size or IOPS

Data lacking a pre-defined model of organization or that does not follow one. Such data is often text-heavy, but can also include facts, figures and time and date information. The resulting irregularities and ambiguities make unstructured data much harder for programs to understand than data stored in databases with fields or documents with annotations. Many estimates claim unstructured data comprises the vast majority of global data, and that this category of data is growing rapidly.

A vulnerability is a weakness that could be exploited or triggered by a threat source in internal controls, procedures for systems security, an information system, or implementation. A weakness is synonymous with deficiency and may result in security or privacy risks or both. 

‍

In cybersecurity terms, a vulnerability is a security exposure that exists in an operating system, in system software, or in an application software component. Each vulnerability can potentially compromise the system or network if exploited.

‍

There are multiple publicly accessible databases of vulnerabilities, sometimes based on the version numbers of software. Common Vulnerabilities and Exposures (CVE) is a common means of enumerating publicly known information security vulnerabilities operated by The MITRE Corporation. 

‍

CVE identifiers assign each vulnerability with a unique name/number, The Common Vulnerability Scoring System (CVSS) is an open industry standard owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization. 

‍

CVSS 3.1 identifies the severity of a vulnerability based on the following metrics: 

Base metrics

• Access vector (what access is required: local, adjacent network, network, physical)
• Access complexity (how easy or hard it is to exploit)
• Privileges required (what level of privileges an attacker requires before exploiting the vulnerability successfully)
• User interaction (whether the attacker requires a separate user or user-initiated process to exploit the vulnerability)

Impact metrics

• Scope (whether a vulnerability in one component impacts resources beyond its security scope)
• Confidentiality (is the confidentiality of data impacted)
• Integrity (what is the impact on the integrity of the system)
• Availability (will the system remain fully functional, experience reduced performance or capabilities, or become unavailable)

‍

A flaw may be the result of poor design or implementation mistakes, and results in unintended functionality. There are also temporal metrics (exploit code maturity, remediation level, and report confidence) and environmental metrics (modified base metrics and confidentiality requirement, integrity requirement, and availability requirement). 

‍

 The Common Weakness Enumeration (CWE) is a list of software and hardware weaknesses that have security ramifications. Weakness severity is scored using Common Weakness Scoring System (CWSS™) and Common Weakness Risk Analysis Framework (CWRAF™) and are based on base findings, attack surface, and environmental metrics. An attacker may exploit vulnerabilities, weaknesses, or user errors individually or combine them to carry out an attack. These metrics help incident response teams and cybersecurity professionals determine the threat level of a vulnerability and how to best address it.

‍