The CyberDico
A
Adware
Code used to display advertising banners via the user's Internet browser.
Note : This code is often perceived as an intrusive method. In many cases, it has other effects on the system, such as the appearance of pop-ups, and degradation of the user's bandwidth or machine performance.
Adversary-in-the-middle
A type of attack in which a malicious person interposes himself in an exchange, and in a way that is transparent to users or systems.
Alert
“Alerting” consists in notifying an entity in such cases where a potential security incident has been detected which might impact it – ranging from a more or less significant risk to a proven incident. The alert is issued by an actor of the ecosystem, towards one or several potential victims.
Audit
Systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the requirements of a standard have been met.
Authenticity
The information is attributed to its legitimate author.
Authentication
The purpose of authentication is to verify the identity of an entity (person or machine). Authentication is always preceded or combined with identification, which enables the entity to be recognised by the system by an element with which it has been endowed: an identifier. In short to identify oneself is to communicate a presumed identifier, and to authenticate oneself is to provide the proof that the entity has been assigned this identifier.
Automated data processing system
Refers to the infrastructure and software services used to collect, process, transmit, and store data in digital form.
Asymetric cryptography
Asymmetric cryptography, otherwise known as public-key cryptography, relies on pairs of corresponding public and private keys to encrypt and decrypt messages.
Assistance
All of the services provided to victims and potential victims. We may distinguish any assistance pertaining to the source of an incident from the assistance provided in order to handle the impacts engendered by said incident.
Attack detection
Comprehensive, controlled security monitoring service. Search for technical markers specific to certain attackers, such as the IP address of a malicious server or the name of a booby-trapped website.
Anonymisation network
Network of compromised machines communicating with each other, used by a group of attackers to make their operations stealthier.
B
Backdoor
Concealed access, either software or hardware, enabling a malicious user to connect to a machine by stealth. A backdoor can also be the cause of an incorrect protocol implementation.
Back-office
IT and logistical support for one or more counters.
Big Data
The sheer volume of structured and unstructured data requires appropriate analysis tools.
Blockchain
Veritable register of digital accounts based on trust, the blockchain enables collaborative management of transactions between different players, without intermediaries (governments, banks, notaries, etc.). This technology is based on a cryptographic process that assembles these transactions to form "blocks" which, once validated by the same process, are added to the blockchain to which users have access. These transactions include the exchange of cybercurrencies (or cryptocurrencies) such as bitcoin, to which we owe the popularization of the blockchain.
Blog
Internet site, often personal, presenting short articles or notes in chronological order, often accompanied by links to other sites.
Boot
Process of starting (or restarting) a computer via hardware (e.g. the start button on the computer) or via a software command.
Bootkit
Malware that infects the operating system's boot process, enabling it to be taken over.
Botnet
A botnet is a network of compromised machines at the disposal of a malicious individual (the master). This network is structured in such a way as to enable its owner to transmit orders to all or some of the machines in the botnet, and to operate them at will. Some botnets can reach considerable numbers of machines (several thousand). These machines can be used for illicit trade or malicious actions against other machines.
Box
Device enabling terminal-based access to several communication services (Internet, telephony, television and storage).
Bug
Defects in design or construction resulting in malfunctions.
Bug bounty program
Call on specialists to search for vulnerabilities in applications or server configurations, in exchange for a fee for discoveries and reports.
BYOD (Bring Your Own Device)
Refers to the professional use of personal equipment such as a smartphone or computer.
Buffer overflow
Technique for exploiting a vulnerability in the code of a program that does not correctly check the size of certain data it manipulates.
Brute-force attack
An attack technique that uses an exhaustive number of randomly generated authenticators (password, key, etc.) in order to guess them.
Business continuity plan (BCP)
Set of documented procedures to guide entities in responding to, restoring, resuming and recovering a predefined predefined level of operation following a disturbance.
Business Email Compromise (BEC)
A type of scam which consists in manipulating a company’s staff member(s) into making an unplanned transfer of funds.
C
Capacity building
Capacity development, capacity building
Certification
Certification is the attestation of a product's robustness, based on a conformity analysis and penetration tests carried out by a third-party evaluator under the authority of ANSSI, according to a scheme and a reference framework adapted to users' security needs and taking account of technological developments.
Close access
Includes wifi and wave attacks.
Close access
Attacks with physical access to the network.
Cloud
Model enabling easy, generally on-demand, network-based access to a set of shared, configurable computing resources.
Covert channel
A communication channel that enables a malicious process to transfer information in a concealed way. The channel ensures communication by exploiting a mechanism that is not supposed to be used for communication.
Containment
Containment refers to all the actions taken at the start of an IT security incident to contain the extent of the incident. Most containment measures disrupt the normal operation of the information system, or consume abnormal amounts of resources. As such, they are generally not intended to be prolonged. Implementation of the remediation plan should enable the containment measures to be lifted to a position that can be sustained over time.
Cloud computing
Model enabling access, generally on demand and via a network, to a set of shared and configurable IT resources.
Cloud computing service provider
The requirements framework for cloud computing service providers is a set of rules for providers wishing to qualify their services in this field. It covers requirements relating to the cloud computing service provider, its staff and the provision of services. Qualification can be issued to cloud computing service providers for SaaS (Software as a service), PaaS (Platform as a service) and IaaS (Infrastructure as a service) services.
CNIL, the French Data Protection Authority
The CNIL is responsible for ensuring the protection of personal data contained in computer files and processing, whether public or private. It is therefore responsible for ensuring that information technology serves the citizen and does not infringe on human identity, human rights, privacy or individual or public freedoms.
Computer Emergency Response Team (CERT)
Cyber incident response center.
Computer Security Incident Response Team (CSIRT)
Cyber incident response center.
Computer hacker
The term "hacker" is commonly used to describe the perpetrator of a computer attack.
Cookie
Information stored by the browser on the hard disk when a website is consulted, enabling the server to memorise information about the user and his behaviour.
Crawler
Net-crawling programme used to extract content, with the intention of cataloguing it (e.g. search engine).
Credential stuffing
A type of attack in which the perpetrator collects stolen account credentials and then uses them to gain unauthorized access to accounts on other systems through large scale automated login requests.
Crisis management
A management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience, with the ability for an effective response that preserves the interests of the organisation's key stakeholders, its reputation, brand and value-creating activities, and efficiently restores operational capabilities
Crisis of cyber origin
A crisis of “cyber origin” may be defined as the major and immediate destabilisation of an organisation’s operations (cessation of activities, inability to provide services, heavy financial losses, significant loss of integrity, etc.), brought about by one or several malicious acts carried out against its services and digital devices (ransomware attacks, denials of service, etc.). Such events have a significant impact on the organisation, which may not be handled via the usual processes and in the usual operational context. Accidental events – meaning those which are not engendered by malicious activity on the organisation’s information systems – and malicious activities which do not cause the major and immediate interruption of the organisation’s essential services are excluded from this definition.
Cross-Site Request Forger (CSRF)
Attack causing the victim to send requests to a vulnerable site, without their knowledge and on their behalf.
Cryptography
Cryptography uses an encryption algorithm to transform a clear message into an encrypted one, in order to ensure the availability, confidentiality and integrity of the data exchanged. In this way, two parties can communicate confidentially and securely, provided they possess the key enabling them to encrypt and/or decrypt their messages. Cryptography is also used for other applications, such as authentication and (digital) signature of messages, all of which - including encryption - have the purpose of processing, storing or transmitting data securely.
Cryptology
Science encompassing cryptography and cryptanalysis.
Cryptocurrency
Cybercurrency is a virtual currency that enables users to exchange money anonymously and without intermediaries. Its operation is based on a register of digital accounts - the blockchain - which validates transactions and issues the currency according to cryptographic principles. Several cybercurrencies are in circulation today, including the best-known: bitcoin.
CSIRT/CERT
Computer Security Incident Response Teams, or Computer Emergency Response Teams, are public or private entities responsible for processing security events. Their missions include: handling cyber incidents which, in certain cases, may be linked to broader crises of cyber origin; remediating the impacts of incidents; carrying out doubt removals; providing assistance; implementing preventive measures; and, where appropriate, identifying the cyber threats affecting one or several sectors of activity.
Cyberspace
A communication space formed by the worldwide interconnection of automated digital data processing equipment.
Cybersaquatting
Register a domain name for the only purpose of blocking any subsequent allocation of this name to more natural or legitimate holders.
Cybermalicious activities
Cybermaliciours activities are any crime committed through digital means. It can include phishing, account or equipment hacking, identity theft, ransomware attacks, etc.
Cyberattack
A cyberattack consists in violating one or several information systems with the intention of serving malicious interests. Such an attack may target different types of computing devices: computers and servers – isolated or linked by networks, online or offline – peripheral equipment, and even communication devices such as smartphones, tablets, and other connected devices. The security of these systems is undermined either via cyber means (virus, malware, malicious use of compromised legitimate accesses, exploitation of vulnerabilities), via manipulation, or via physical means (intrusion, destruction). The four main objectives of cyberattacks are: financial gain, destabilisation, espionage, and sabotage.
Cyber crime
Acts that contravene international treaties or national laws, using networks or information systems as a means of committing an offence or crime, or targeting them. Cyber crime does not necessarily use cyberattacks to achieve its ends, for example: telephone or email scams / phishing / FOVI etc.
Cyber crisis
A ‘cyber’ crisis is defined as the immediate and major destabilisation of an organisation's current or future operations (loss of markets, cessation of activities, inability to deliver services, heavy financial losses, major loss of integrity, etc.) due to one or more malicious actions on its services and digital tools (cyber attacks such as ransomware, denial of service, etc.). It is therefore a high-impact event, which cannot be dealt with by the usual processes and as part of the organisation's normal operations.
Cyber defence
All the technical and nontechnical measures enabling a State to defend its essential information systems in cyberspace.
Cyber security
The desired state of an information system, enabling it to withstand events originating in cyberspace that could compromise the availability, integrity or confidentiality of the data stored, processed or transmitted, and the related services that these systems offer or make accessible. Cybersecurity calls on information systems security techniques, and is based on the fight against cybercrime and the implementation of cyberdefense.
Cyber defence operation
In ANSSI's taxonomy, a cyber defense operation is the Agency's maximum level of commitment in dealing with a security event. This commitment is reserved for events whose of significant severity and complexity.
Critical sector
In the aftermath of the September 11, 2001 attacks, France launched a review of the concept of critical infrastructure, with a view to modernizing the protection of sensitive points and networks. The decree of February 23, 2006 defines activities of vital importance as "a set of activities, essential and difficult to substitute or replace, working towards the same objective or aiming to produce and distribute essential goods or services". Twelve sectors of vital importance were defined in a decree of June 2, 2006, amended by a decree of July 3, 2008, within which Operators of Vital Importance (OIV) were identified, responsible for protecting their Point of Vital Importance (PIV). Each sector is attached to a coordinating ministry responsible for steering the work and consultations.
D
Daemon
Permanently active programme used on multitasking systems to perform certain functions without user intervention.
Darknet
Internet that requires the use of a specific protocol (encryption, proxy, etc.).
Data exfiltration
Theft or unauthorized transfer of data from a terminal or network.
Deep Web
Internet inaccessible to the search engine.
Defacement
The result of malicious activity that has altered the appearance or content of an Internet server, thereby violating the integrity of the pages by altering them.
Denial of Service (DDoS)
Action that prevents or severely limits a system's ability to provide the expected service. The action may be malicious or may be the result of incorrect sizing of the
Destabilisation
Action designed to undermine the stability or proper functioning of processes and institutions with a view to resonance.
Detection
Detection refers to the means implemented in order to monitor the information system and its interdependencies, and identify security events.
Detection rule
A detection rule is a combination of symptoms observable at a data source, the occurrence of which is characteristic of suspicious or malicious activity. Depending on the detection method and the level of sophistication of the detection rule used to characterize malicious events, it is also referred to as a marker, attack signature or behavioral rule.
Detection capabilities
Comprehensive, controlled security monitoring capability. Our detection experts draw on their expertise in strategic threats and their knowledge of massattack techniques. They seek to detect technical markers specific to certain attackers, such as the IP address of a malicious server or the name of a booby-trapped website.
Dialer
Software that automatically dials telephone numbers.
Digital risk analysis
Digital Risk analysis aims to assess the digital risks facing an organization - whether public or private - and to identify the security measures to be implemented to control them. ANSSI, with the support of the EBIOS Club, publishes a method dedicated to this exercise: EBIOS Risk Manager.
Digital trust
The digital transformation of society is leading to massive growth in electronic exchanges, highlighting the need for a trusted cyberspace capable of guaranteeing the security of these exchanges, in particular by ensuring the reliability of the information transmitted, the safety of the services used and, more generally, respect for citizens' privacy.
Digital threat
Generic term used to designate any hostile intention to do harm in cyberspace. A threat may or may not be targeted on the object of study.
Digital mobility
Digital nomadism refers to any form of information technology use that enables a user to access the IS of the entity to which they belong or where they work, from remote locations that are not controlled by the entity.
Digitalisation/ scanning
From a document, analog data.
Disaster recovery plan (DRP) (ISO 22301)
The procedures documented to enable entities to restore and resume their activities based on temporary measures adopted to meet normal business requirements after an incident.
Directive on security of Network and Information Systems (NIS)
The NIS 2 directive aims to reinforce the level of cybersecurity of the economic and administrative fabric of EU member countries.
DNS pharming
Modification of a DNS server to redirect a domain name to an IP address other than the legitimate one.
DNS spoofing
When a DNS request is sent by a client, a DNS spoofing attack consists of the attacker sending a malicious response instead of the DNS server being queried, or modifying the legitimate response from the latter. These ‘man-in-the-middle’ attacks do not require any prior interaction with the victim or the compromise of a DNS server. It is interesting to note that DNS spoofing can lead to the poisoning of DNS server caches.
Domain name system (DNS)
Service enabling a correspondence to be established between a domain name and an IP address.
Domain Name System Security Extensions
DNS protocol security extension
Doubt removal
Refers to all of the verification actions performed in order to qualify an event which occurred on an automated data processing system. Doubt removal efforts should help to differentiate false-positives from security incidents in order to facilitate a response.
Dropper
Programme used to install malware on a targeted system. A minimalist form of Trojan horse.
Drive-by download
Malware download carried out against the user’s will when visiting a hacked website.
E
EBIOS Risk Manager
French risk analysis method, enables organizations to assess and treat risks.
Encryption
Cryptographic transformation of data to produce a cryptogram.
Eradication
Eradication refers to the investigation and neutralisation of the attacker's residual or potential hold on the information system around the trusted core, together with measures to prevent the attacker's return. Eradication on a large system can be a massive work. For this reason, eradication operations are often phased by department, business line or sector of the information system.
Espionage
A type of attack in which an attacker discreetly gains a foothold in the victim's information system, extracting information of strategic importance to the company. Such an attack, often sophisticated, can last several years before being detected.
European Cybersecurity Month (ECSM)
European Cybersecurity Month is an initiative of the European Union's Cybersecurity Agency (ENISA). It aims to promote the subject of cybersecurity across EU countries, to help people better understand and tackle threats.
Eviction
Regaining control of an information system requires the creation, or re-creation, of a trusted core. This sub-system, which is kept out of the attacker's reach by strong measures, is the foundation of the recovery actions. From this trusted core, the defenders will be able to work on the rest of the information system beyond the reach of the attacker. Eviction therefore consists of recreating a trusted core using information from the system that has been compromised. In some cases, eviction involves recreating old elements of the information system without reusing them. In most cases, eviction is a combination of filtering and cleaning information from the compromised system before using it on reinstalled systems.
Exploit
All or part of a program that enables a vulnerability or set of vulnerabilities in a software program (system or application) to be used for malicious purposes.
F
Foreign digital interferences
Foreign digital interferences is a specific type of information manipulation campaigns made of four criteria: 1/ the targeting of fundamental interests of the Nation; 2/ the use of inaccurate, misleading or false content; 3/ the use of inauthentic spreading (artificial or automated, massive and deliberate); 4/ the involvement of a foreign State or a foreign non-State actor.
French Cybersecurity Agency
ANSSI is the national authority for cybersecurity and cyberdefense. Its role is to build and organize the nation's protection against cyber attacks. Reporting to the General Secretary for National Defense and Security (SGDSN), the Agency is a department of the Prime Minister, whose activities are exclusively defensive in nature.
French cyber security model
The French model of cybersecurity and cyberdefense is based on a clear separation, within the State, between defensive and offensive missions.
Front-office
Interface for accessing online services.
Firewall
A firewall is a tool used to protect a computer connected to a network or the Internet. It protects against external attacks (inbound filtering) and often against illegitimate connections to the outside world (outbound filtering) initiated by programs or people.
Forensic analysis
Investigation is the process of collecting and analysing any technical, functional or organisational element of the information system that makes it possible to classify a suspicious situation as a security incident and to understand the modus operandi and the extent of a security incident on an information system.
G
GDPR (General Data Protection Regulation)
Regulates the processing of personal data within the territory of the European Union. The CNIL in particular is in charge of handling complaints and developing new compliance tools to guarantee the protection of personal data for all.
H
Hash Function
Cryptographic function that transforms a chain of characters of any size into a chain of characters of a fixed and generally smaller size. Among other things, this function satisfies two properties: the function is "one-way": for a given image of the function, it is difficult to calculate the associated antecedent. The function is "collision-free": it is difficult to find two different antecedents of the function with the same image.
Hacktivist, Hacktivism
Individuals whose aim is to convey messages and ideologies by using cyber attacks to amplify the impact of their actions.
Hub
Computer device placed at the node of a star network, which concentrates and distributes data communications.
I
Internet Service Provider (ISP)
A company or person whose business is to provide access to online public communication services, in other words to the Internet.
Iframe
An iframe or inline frame is an HTML tag used to insert an HTML document into an HTML page. (cf bulletin du certa 2008-Inf-001)
Indicator of compromise (IOC) or Technical marker
Combination of technical and contextual information that indicates a compromise or attempted compromise, the presence of which can be identified from the analysis of a system, malicious code or network traces.
Integrity
Guarantee that the system and the information processed are only modified by a voluntary and legitimate action.
Intrusion
Intrusion is the act of a person or object entering a defined space (physical, logical, relational) where its presence is not desired.
Information system (IS)
All the IT infrastructures and software services used to collect, process, transmit and store data in digital form.
Incident notification
An incident notification is any detailed description of the technical characteristics of one or more security events likely to lead to the discovery of a security incident on a given organization's information system.
J
Jailbreak
The action of bypassing a system's protections to remove the restrictions on use put in place by the manufacturer.
K
Keylogger
Software or hardware used by a malicious user to capture what a person types on the keyboard.
Kernel
One of the fundamental parts of certain operating systems. It manages the computer's resources and enables the various components (hardware and software) to communicate with each other.
L
Local access
Attacks with physical access to the network or equipment.
Logic bomb
Malware designed to cause damage to a computer system and triggered when certain conditions are met. Some viruses contain a logic bomb function: triggered on a fixed date, or when a particular reticular address (URL) is entered in the browser.
M
Mail bombing
Sending a large number of e-mails to a single recipient with malicious intent. A particular form of denial of service against e-mail systems.
Major incident
In ANSSI's taxonomy, a major incident is one whose severity and impact require a major intervention by ANSSI.
Managed services, IT outsourcing
Contractual outsourcing of all or part of a company's IT resources.
Man in the cloud
Attack giving remote access to the network via cloud spaces, allowing data to be exfiltrated and arbitrary commands to be executed.
Man-in-the-middle
Category of attack in which a malicious person interferes in an exchange in a way that is hidden from users or systems. Note: The connection is maintained, either by substituting the transferred elements, or by reinjecting them. A well-known attack in this category involves compromising ARP tables (ARP Poisoning). Countering attacks from the middle is also one of the objectives of key management infrastructures.
Microblog
A blog made up of short messages posted in real time, often containing keywords and linked together to form discussion threads.
Mining malware
Malware enabling a type of operation which consists in confirming a transaction – made in Bitcoin, for example – via the encryption of data, and recording it in the blockchain.
Mail harvesting
Action which consists of scanning a large number of public resources (Internet pages, newsgroups, etc.), in order to collect e-mail addresses with malicious intent. Note: The addresses collected are used, for example, to send e-mails containing viruses, hoaxes or spam. One way to prevent this is to present an e-mail address on these public resources that misleads search tools (such as prenom.nom_AT_domain.fr for tools looking for '@', the characteristic of an address); this is called address munging.
Managed Security Service Provider (MSSP)
Entity offering an information systems security service that complies with the standard.
N
N-day or one-day
Vulnerability for which a security patch is available but has not been deployed by the user, making it possible to exploit the vulnerability.
Notification of incident
The legal obligation to declare, under certain conditions, a security incident to the relevant authority.
O
Obfuscation
Transforming source code with the intention of making it indecipherable. May be used to prevent the abusive use of a programme.
On-premise
The MindSphere software may now be used by IBM agents both locally and via the cloud.
Operator of essential services (OES)
An OES is an operator dependent on networks or information systems, providing an essential service whose interruption would have a significant impact on the functioning of the economy or society.
Operator of critical national infrastructures (OIV)
Un opérateur d'importance vitale (OIV) est, en France, une organisation identifiée par l'État comme ayant des activités indispensables à la survie de la nation ou dangereuses pour la population.
P
Parser
Syntactic analysis tool used to analyse structured text.
Personal data
Any information relating to an identified or identifiable natural person. But because it concerns individuals, they must retain control over it. A natural person can be identified directly (e.g. first and last name) or indirectly (e.g. by a telephone or license plate number, an identifier such as a social security number, a postal or e-mail address, but also by voice or image).
Phreaking/Telephone hack/Telephone hijack
Fraudulent practice which consists in deceiving a person, by way of a phone call or during an intervention on a telephone network, in order to obtain unearned advantages.
Post-quantum cryptography
Set of [public key] cryptographic algorithms designed to not only resist current cyberattacks, but also attacks conducted by high-capacity quantic computers. Post-quantum algorithms may be implemented on current computers (see the position paper on QKD co-published alongside the BSI).
Position Paper on Quantum Key Distribution
Port scanning
Technique that consists of sending data packets to the various ports of a machine, then deducing the status (availability) of these ports based on the response returned, if any exist.
Proof of Concept
Code written to demonstrate the feasibility of an attack using a given vulnerability
Privilege escalation
Mechanism enabling a user to obtain privileges greater than those they normally have.
Public key infrastructure (PKI)
Combination of technical and contextual information that indicates a compromise or attempted compromise, the presence of which can be identified from the analysis of a system, malicious code or network traces.
Public Key Infrastructure (PKI)
Organized set of components providing cryptographic key and public key certificate management services for a community of users.
Parental control software or filtering
These are protection systems that can be installed on a computer to block access to sites unsuitable for children. Some can also be used to configure Internet access (time slots, duration, applications, etc.). All personal computers used by minors should be equipped with such software (see the results of our comparison of the main software available on the market).
Password
A password is an unlocking element used in the verification of a person's announced identity by an information system.
Password spraying
Attempting to open several accounts with a single password, often widely used.
Peer-to-peer (P2P)
Network where each entity is both client and server. Network for exchanging and sharing files between individuals.
Phishing
Fraudulent technique intended to deceive the Internet user by posing as a trusted third party (fake SMS, email, etc.) to prompt them to communicate personal data (access accounts, passwords, etc.) and/or bank details. This type of attack can be used for both an espionage attack and a ransomware attack.
Polymorphic
A worm or virus whose code is encrypted, changing the decryption code from one infection to the next, and thus its appearance and/or signature.
Port
Numeric code used in protocols such as TCP or UDP to identify to which service an IP protocol information packet belongs. For example, the https service is associated with port 443. The notion of a port can be likened to a door giving access to the operating system.
Prevention
Refers to all of the cybersecurity awareness-raising, training, and instruction efforts implemented.
Preparation
Refers to the measures implemented in an effort to anticipate the course of action to be followed in the event of a cyberattack, and to limit its impact. Preparation facilitates reporting, alerting, and the provision of assistance.
PACS (Cyber security support and consulting service provider)
The PACS standard is designed to support information systems security managers and their teams in their missions to protect information systems, including security certification, risk management, design of secure architectures, and preparation for the management of cyber-related crises.
PAMS (Secure administration and maintenance service provider)
The requirements framework for secure administration and maintenance service providers is a set of rules for service providers wishing to qualify their services in this field. It covers requirements relating to secure administration and maintenance providers, their staff and the way in which services are provided.
PASSI (Cyber security audit service provider)
The requirements framework for information systems security auditors is a set of rules for service providers wishing to qualify their services in this field. It covers requirements relating to the audit provider, its staff and the conduct of audits. Qualification can be awarded to audit providers for the following activities: architecture audit, configuration audit, source code audit, penetration testing, organizational and physical audit.
PDIS (Cyber security incident detection service provider)
The requirements framework for security incident detection service providers is a set of rules for service providers wishing to qualify their services in this field. It covers requirements relating to the incident detection service provider, its staff and the way in which incident detection services are carried out. Qualification can be awarded to incident detection providers for their entire security incident detection activity.
PRIS (Cyber security incident response service provider)
The requirements framework for security incident response providers is a set of rules for providers wishing to qualify their services in this field. It covers requirements relating to the incident response provider, its staff and the way in which incident response services are carried out. Qualification can be awarded to incident response providers for the following activities: technical control, system analysis, network analysis and malicious code analysis.
Q
Qualification
Its aim is to ensure that a security product (hardware or software) or a trusted service provider meets the needs of the administration.
Quishing
Phishing via quick response codes / contraction of QR (quick response code) and phishing. Practice which consists in redirecting a victim towards a malicious resource (phishing website, malware…) when the quick response code is scanned.
R
Ransomware
Malicious program designed to obtain payment of a ransom from the victim. Ransomware is one of the tools used by profit-driven cybercriminals. In a ransomware attack, the attacker reversibly disables the victim's computer or information system. The attacker then sends an unencrypted message to the victim, offering to decrypt the victim's data in return for payment of a ransom.
Remote code execution (RCE)
Implementation of remote commands on a computer, without the knowledge of its legitimate user.
Removal of doubt
Set of verification actions carried out to confirm or invalidate a computer security alert or report.
Remedial plan
Plan to rebuild an IS following an attack.
Rebuilding
Reconstruction is a support activity for remediation, the aim of which is to provide the IT resources needed to restore and security conditions of the information system.
Requirements rules set
The requirements repository is a set of rules for service providers wishing to qualify their services in a given field.
RGS (General Security Baseline)
A set of rules established by ANSSI and set out in Order no. 2005-1516 of December 8, 2005 "relating to electronic exchanges between users and administrative authorities and between administrative authorities", which must be respected by certain functions contributing to information security, including electronic signature, authentication, confidentiality and time stamping.
Remediation
Remediation is defined as the project to regain control of a compromised information system and restore it to a sufficiently functional state. It corresponds to a sequence of actions enabling the system to move from a compromised state to a desired state. In the case of an IT security incident, this work begins as soon as the incident is contained and can extend over several months.
Remediation plan for cyber incident
The remediation plan for cyber incident, is the list of actions to be taken to bring the information system into compliance with the operational remediation objectives. This plan can be broken down into sub-projects for each operational remediation objective.
Reporting
Refers to the act of informing – as an entity or individual and as a victim or a witness – an actor involved in the assistance of cyber victims of a suspected or proven cyberattack.
Resilience
In IT, the ability of an information system to resist a breakdown or cyber-attack and return to its initial state after the incident.
Risk mapping
Visual representation (e.g. radar, Farmer diagram) of risks resulting from risk assessment activities.
Rootkit
Stealth malware that gives an unauthorised third party administrator rights to a computer, enabling them to take control of it.
Root name server
In computing, the root is the starting point of a tree structure. There are currently 13 root name servers around the world: these servers host the data required for the Domain Name System (DNS) to function properly, as well as the services that use this system: the Internet, e-mail.
S
Sabotage
A sabotage operation involves an individual or a group of individuals carrying out an attack that causes damage to the target entity's information system, or even renders it inoperative. The consequences of such an operation can be disastrous, particularly if it affects a vitally important sector such as health, transport or energy.
Sanitising data
Removing any “illegal” components present in the data (notably to prevent XSS and SQLi attacks).
Scanning
A technique used to search for specific connected devices and related information. This technique can also be used to identify the presence of known vulnerabilities on exposed systems.
Security event
A security event refers to any trace(s) recorded on an automated processing system which might indicate a security incident and require the implementation of doubt removal efforts.
Security accreditation
Security accreditation is a decision taken by an authority within an organisation ("the accreditation authority") authorising the launch or maintenance of an information system. It is required for all public information systems, those handling sensitive or classified information (e.g. IG1300, II901, IGI2102, etc.) and those of vital importance (SIIV).
Security incident
A security incident is an event that affects the availability, confidentiality or integrity of an asset. Example: illegal use of a password, theft of computer equipment, intrusion into a file or application, etc. in ANSSI taxonomy: Security events for which ANSSI confirms that a malicious actor has successfully carried out actions on the victim's information system.
Security provider
An entity providing services intended to ensure the protection and/or defence of automated data processing systems.
SGDSN (General Secretariat for Defence and National Security)
Placed at the heart of the executive branch, the SGDSN, which reports to the Prime Minister, assists him in exercising his responsibilities in terms of national defense and security. It acts as secretary to the national defense and security councils chaired by the Head of State. It thus supports political decisionmaking. Its remit covers all strategic defense and security issues, including military programming, deterrence policy, internal security contributing to national security, economic and energy security, the fight against terrorism, and crisis response planning.
Shadow IT
IS designed and implemented within organizations without the approval of the CIO department.
SNORT
Free intrusion detection system software under GNU GPL
SQL injection
The unplanned interpretation, on an application, of SQL code which has been introduced in a roundabout way.
Side-channel attack
Obtaining information from a system or programme by observing the signals emitted by it (electricity consumption, electromagnetic emissions…).
Skimming
Fraudulent activity aimed at pirating bank cards, particularly from cash dispensers.
Sniffer
Hardware or software tool whose purpose is to capture frames transiting the network.
Note: If the frames contain unencrypted data, a malicious user can easily retrieve confidential data, such as passwords, e-mails, web page content, etc. The malicious user can also use the frames to retrieve information about the systems exchanging the frames, such as the operating system or services used.
Socket
Inter-process communication software mechanism often used between applications and networks.
Social engineering
Manipulation to obtain goods or information by exploiting the trust, ignorance or credulity of third parties. Note: Malicious individuals using these methods exploit the human factor, which can in some cases be considered a weak link in information system security.
Spam
Any unsolicited e-mail. The mail is often sent simultaneously to a very large number of e-mail addresses. The most frequently advertised products are pornographic services, stock market speculation, medicines, financial credit, etc.
Spearphishing
This attack is generally based on the usurpation of the sender's identity, and uses strong social engineering to link the e-mail subject and message body to the activity of the targeted person or organization.
Spyware
Software whose purpose is to collect and transmit to third parties information on the environment in which it is installed, and on the usual uses of the system's users, without the knowledge of the owner or user.
State of the art
A set of publicly accessible best practices, technologies and reference documents relating to information systems security, and the information that is obviously derived from them. These documents may be posted on the Internet by the information systems security community, disseminated by reference organizations, or be of regulatory origin.
Strategic review of cyber defence
The White Paper on Cyberdefense is a major exercise in strategic synthesis in this field.
Strong authentication
Authentication protocols that can be considered strong are often based on so-called challenge-response protocols. The message sent by the prover to authenticate himself depends on both a secret key and a variable challenge sent by the verifier. When a prover wishes to prove his identity to a verifier, the verifier sends him a challenge (a random value for example) and the prover must send him a response calculated from this specific challenge (a signature of this challenge for example). To be considered strong, authentication must be based on a cryptographic protocol that can resist certain attacks.
Supply chain attack
This type of attack involves compromising a third party, such as a software service provider or contractor, in order to target the end victim. This technique has been tried and tested and exploited by several state actors and cybercriminals since at least 2016. This method presents a risk of rapid propagation of an attack, which can sometimes affect an entire business sector or a precise geographical area, particularly when the attack targets a widely used software supplier, a local digital service company (ESN) or one specialized in a particular business sector.
Symmetric key cryptography
Symmetric-key cryptography refers to encryption methods in which both the sender and receiver share the same key.
Swatting
Anonymously calling emergency or rescue services to report a fictious crime or assault on people or property and request their intervention.
Switch
Computer device placed at the node of a star network, which concentrates and distributes data communications.
T
Threat assessment
Over a given period and perimeter, the threat assessment characterizes the nature and level of risk involved, based on various variables such as the type of threat, the actors involved, the trends observed, the modus operandi at work, the objectives targeted and the resources available. To draw up this overview, ANSSI has divided the threat into four categories: cybercrime, destabilization, espionage and sabotage.
The tactics, techniques and procedures (TTPS) of an attacker or group of attackers
The attacker's signature, the way he targets and attacks his victims.
Top-Level Domain (TLD)
The highest possible domain level in internet addressing structure, whose coded representation is located at the very end of all domain names.
Trojan Horse
A program that gives the impression of having a useful function, but on the other hand has a hidden, potentially malicious function.
Trusted core
The trusted core is the part of an information system underpinning the security of the entire information system. In most information systems, the trusted core includes: identity management, administration, security supervision components, and hypervisors. Compromising a component of the trusted core would lead to compromising the entire information system. Secure architectures aim to minimise the size and complexity of the trusted core, in order to keep its security as simple as possible. This minimalistic nature of the trusted core is particularly important in an incident where any part of the information system may have been compromised. Although the trusted core of most office systems is frequently centred around the Active Directory, this is not the only possible case.
Troubleshooting
Assistance protocol intended to help resolve problems or technical malfunctions impacting software or devices.
Typosquatting
The malicious act of registering a domain name that is very similar to another domain name, differing by only one or two characters.
V
Victim
Any natural person or legal entity whose automated data processing system is directly or indirectly impacted by a security incident.
Vulnerability
Vulnerability in a computer system enabling an attacker to undermine its normal operation, or the confidentiality or integrity of the data it contains.
W
Web bug
Graphical support embedded in an Internet page or e-mail, whose purpose is to monitor the viewing of this page or e-mail, without the readers' knowledge. Note: these supports are often invisible, as many are set to a very small size (1X1 pixel). They are also frequently represented by HTML IMG tags.
Watering hole
This type of attack is designed to infect the computers of personnel working in a targeted industry or organization. The "watering hole" technique involves tricking a legitimate website into infecting the machines of visitors in the attacker's area of interest. There are numerous cases of insufficiently secure sites belonging to professional associations or industry groups, whose vulnerabilities are exploited to infect their members, thereby enabling access to their most sensitive networks. The most strategic sectors are obviously the most targeted.
Z
Zero-day, 0-day
Vulnerability that has not been published or patched.