Cloud Threat Report Glossary

Jump To:


Agile Software/Scrum

A collaborative approach to software development that is based on evolution of code over regular check-ins. Scrum utilizes the Agile model and is based around smaller teams who break projects into time-oriented actions. For more information:

Anomalous End User Activities

When an application, user, device, or network exhibits behaviors that show variances from normal behaviors over a prior period, this is considered anomalous behavior. SecOp teams sometimes employ technologies (such as CASB or SIEM) that leverage user and entity behavior analytics (UEBA) or machine learning technologies to help identify these anomalies and to act on them. For more information:

API Security

The processes and technology used to protect the AUTHN and AUTHZ processes within the API environment of a web service. For more information:

Artificial Intelligence/Machine Learning/Deep Learning


Bit Mining/Cryptojacking

Background information on bitcoin and bitcoin mining (bit mining):

Cryptojacking is the act of using malicious code to embed within desktops, servers, or cloud platforms. The purpose is to consume available CPU cycles from a distributed set of systems to solve highly complex computational problems associated with bitcoin mining. Some have found that the financial costs of the power required to solve these mathematical calculations exceed the financial gains of the bitcoin mining itself. This has led to the use of CPU power of these targeted systems to offload the burden of power costs and to increase the chances of solving mathematical problems in a shorter period of time than would be possible with desktop systems.


A bot is a software application that runs automated tasks (scripts) for simplified functions, but at a frequency that exceeds the abilities of human staff. Bots were originally created to do good things, such as identify pricing structures of a competitor, fetch and analyze information or files from remote servers, and more. More than half of all web traffic is made up of bots, according to the Bot Traffic Report.

Chatbots, such as Apple’s Siri, are bots that mimic written or spoken human speech to simulate a conversation or interaction with a real person.

In recent years, attackers have leveraged these forms of automation and intelligence for malicious purposes. Botnets distribute thousands of bots that all feed into a command-and-control structure awaiting the commands of attackers. This can include distribution of targeted attacks, such as spear phishing, ransomware, distributed denial-of-service (DDoS), spam, or network listening to strip out and capture files or credentials from the wire, or local systems infected with the bot. For more information:

Business Email Compromise (BEC)/Email Fraud

BEC is a form of email fraud targeting enterprises where the victim (user) has special privileges with respect to company finances. This form of email spoofing uses emails that appear to come from an executive or authority within the company, or partners, builds a false sense of trust, then creates a sense of urgency through a false requirement to pay a partner or vendor for a service. The goal here is to get the trusted employee to lower their guard and pay or share confidential data to a third party. For more information:


Cloud Access Security Broker (CASB)

A CASB intercepts all cloud traffic to discover the apps being used, inspect and determine intent of traffic against policies, create secure policies to ensure proper use of data, and block access or restrict behaviors based upon policy.

CASBs are one of the most effective means of determining how employees are using the cloud for apps and services, and they ensure effective policies are put in place that protect the data. However, not all CASBs are equal. Some cover IaaS, PaaS, and SaaS, while many others cover targeted areas of the cloud and specific services. Other CASBs analyze key business applications to help identify signs of internal/external fraud events and allow for responsive defensive actions. For more information:

Cloud Service Provider (CSP)

A CSP is a business that provides cloud-based IaaS, PaaS, and SaaS to customers who prefer not to rely upon their own data centers and staff. For more information:

Consumerization of IT

The blending of personal and business technology (applications and devices) is often called IT consumerization (or consumerization of IT).

Continuous Integration and Continuous Delivery (CI/CD)

In the world of DevOps, CI/CD represent a philosophical change in how the developer community streamlines the secure integration of coding updates on a more frequent basis. Also known as a check-in. For more information:


In an effort to reduce risk and exposure to threats, organizations have worked toward a model of defense-in-depth across the enterprise to ensure there are controls in place across all points of the enterprise for every threat. In a cloud environment, this has shifted to a core-to-edge philosophy where organizations maintain multiple levels of controls around core data, whether it’s on premises or in the cloud, and continue up the stack into cloud-based services. Surrounding this with proper security controls and policies that cross people, places, and technology helps to serve as a defense against sophisticated attacks.

Credential Stuffing

In recent years, the mega-breach has resulted in massive collections of user credentials (and passwords) that number in the millions per incident. Credential stuffing uses a single credential and cycles through random passwords, launching millions of potential credentials and associated passwords against ecommerce and business-cloud applications. Since it is widely known that users tend to recycle their passwords between personal and business, the objective here is to find those individuals who can be exploited by using a personal credential against business apps, or business credentials against ecommerce.

A recent study by Shape Security identified that 90 percent of ecommerce login traffic comes from hackers using credential-stuffing techniques. For more information:


Dark Web

The dark web (also known as Darknet) is essentially a grouping of private internet systems that is accessible only through an anonymizing browser such as Tor, and cannot be indexed by today’s search engines. User identities and locations remain anonymous, and the level of network encryption makes it impossible to track back users. While commonly known as a platform for illegal activities and those looking to circumvent law-enforcement monitoring techniques, a few legitimate businesses have set up shop on the dark web. For more information:

Data Loss Prevention (DLP)

By using forms of monitoring, detection, and blocking of requests, data loss prevention ensures that sensitive corporate data is not shared or transmitted in ways not approved or designed for that classification of data, or for that particular role/user/application. For more information:


DevOps and DevSecOps both use development operations as part of an application lifecycle to identify risks and vulnerabilities and ensure that development works this into the next round of updates. DevSecOps takes this one step further by calling for the adoption of security best practices in the development process to ensure effective risk management. For more information:

Distributed Denial-of-Service (DDoS)

This is a form of a cyberattack where the goal is to make the target machine or network unavailable to legitimate traffic and users by flooding the target with IP requests. This results in an overload and prevents legitimate users from accessing the target temporarily or indefinitely. In a distributed model, the attack traffic is a coordinated effort launched by numerous (sometimes thousands of) systems against a single device or network and is organized from a single command-and- control server. This is often leveraged as part of a sophisticated botnet attack. For more information:

Docker Hub

A Docker site used to manage container images. For more information:


Email Phishing/Spear Phishing

Phishing is the act of using electronic communications (email, IM, or social) disguised as a legitimate email from a trusted partner, company, or individual to target an unsuspecting viewer. The goal is to click on links that point to imposter websites to capture or steal the user’s credentials.

Spear phishing uses the same tactic to seek unauthorized access to corporate information.

Email Spoofing

Email spoofing forges an email header so that emails appear to have a sender that differs from the actual sender. Successful email spoofing will alter malicious emails to include the name of known persons to the victim, such as their upline management or work colleagues, and employs a call to action needed (such as opening an attachment, click a link, or reply with sensitive information). Email spoofing is often used as part of a spear-phishing campaign.


General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) took effect on May 25, 2018. This regulation broadly affects all organizations, government agencies, and companies throughout the world that collect or use personal data tied to EU residents. For more information:


Jump Host

The widespread use of demilitarized zones (DMZs) in corporate networks in the 1990s led to a need for operators from the trusted/safe zone of the enterprise to manage and control systems in the untrusted/unsafe zone, such as managing SMTP relays, firewalls, web servers, proxy servers, and more. This jump-host model continues in the cloud with the use of control servers that manage cloud services out of line.


Keeping Pace at Scale

The cloud has made it easier than ever for lines of business (LOB) to rapidly acquire and provision new services to support their needs. This often occurs without the necessary collaboration with SecOps, or at an accelerated rate that exceeds the time needed to fully integrate security analytics into the service offering. As a result, new SaaS services come online with limited integration and analysis by security frameworks to detect emerging attacks. This pace gap between business and security teams continues to grow and is a leading cause of limited visibility.

Keystroke Logger/Keylogger

There are numerous ways to steal user credentials or data, but one of the oldest and simplest methods is to capture the keystrokes of a user to see exactly what they are typing. This can be a software compromise, or even a hardware device (as easy as ordering on popular retail sites). More sophisticated versions are often bundled with ransomware and propagated via botnet so that an attacker can capture all of the possible user ID/password combinations as a victim attempts to gain access to their device. For more information:


MFA/Adaptive Multifactor Authentication (A-MFA)

MFA refers to the use of secondary authentication controls to validate primary authentication. The secondary challenge requires the user to initially enter their user ID and password, then follow up with a secondary form of authentication such as biometrics, passphrase sent to smartphone, physical token, or card. MFA has proven to be a highly successful component of fraud-reduction programs. Like any security solution, these extra steps can sometimes draw the ire of the user due to added steps or complexity required by them.

Enter Adaptive MFA, which allows organizations to use primary authentication for key systems, and only force the second form of authentication if there is a variance in normal user behavior. This includes login attempts outside normal hours, from a different device, from an alternate location, or if there are unusual behaviors in terms of transactions or online behavior. Any or all of these can initiate an MFA request to ensure you are who you are. Adaptive MFA is only offered with specific identity-management solutions. For more information on MFA:


Open Systems Interconnection (OSI)

The OSI model represents the communications functions of telecommunications or computing environments. Leveraging standard protocols, it establishes interoperability across a wide swath of communication systems. Often called the 7 OSI Layers, this standard was developed in 1978 and finalized in 1984. For more information:


Penetration Testing

Penetration testing, also known as a pen test, is a form of a simulated cyberattack that is authorized by the company or owner of the targeted systems. This can be used in an on-premises model or against cloud resources to identify points of misconfiguration, application vulnerabilities, and areas where patches have not been implemented. This also helps to identify weak points in the architecture design where precautions have not been implemented.

Many companies require a full pen test of the services, code, applications, and infrastructure prior to being deployed into production, with full results provided to internal DevSecOps teams. For more information:



Ransomware is a form of malware/malicious code that leverages the encryption of a target system, then threatens the business or the user to release the information to the public unless a ransom is paid. The ransom is often paid in the form of bitcoins, but in many cases, the ransom payment does not result in the decryption of the asset. While ransomware had leveled off in the past two years, it is expected that new threats will emerge in 2019 as expanded forms of propagation are leveraged beyond email and web, such as bots/botnets. For more information:

Readiness Gap


Security Operations and Analytics Platform Architecture (SOAPA)

Service-Level Agreement (SLA)

An SLA is an agreement in writing between a service provider and a customer that covers multiple aspects of the services provided, including quality, availability, financials, and responsibilities. This is a contract-level agreement that binds the service provider to specified deliverables; failure to deliver per the contract may result in financial penalties imposed against the service provider. For more information:

Shadow IT

Shadow IT is caused by the unauthorized use of software-as-a-service (SaaS) applications by both individual employees and by distributed development teams that leverage infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) platforms for application development without the knowledge, approval, or support of corporate IT and security.

The risk of shadow IT is that the use of potentially insecure and vulnerable services that contain business-critical information may expose the business to loss of data or breach. The risk of shadow IT also extends to the unauthorized use of legitimate applications. For example, if finance is approved to use a SaaS application, that application would be fully monitored and controlled by IT operations (ITOps) and security operations (SecOps). However, should another department deploy their own personal version of the same SaaS service, they would do so without the corporate controls in place. This can violate privacy regulations and corporate policies, and put the business at risk.

Shared-Responsibility Security Model (SRSM)

In a shared-responsibility security model, the cloud service provider (CSP) and the cloud consumer each have a role to play in securing the cloud-resident infrastructure and cloud-delivered applications. The line of demarcation about which part of the stack each party is responsible for securing differs for SaaS, IaaS, and PaaS services. For example, IaaS CSPs are generally responsible for securing the physical infrastructure up to and including the virtualization layer. The customer is then responsible for protecting the server workload. However, regardless of consumption model—IaaS, PaaS, or SaaS—the customer is generally responsible for data security, user access, and identity management (see figure 1).

Figure 1. Shared-Responsibility Security Model for Cloud


Shodan is a search engine used by companies and individuals to identify specific forms of Internet of Things (IoT) and IP devices (routers, servers, webcams, smart devices) that are connected to the internet. While not a free service, anonymous users can obtain up to 10 results, which may be just enough to know how to penetrate an organization or consumer via their IoT devices. For more information:

Social Engineering

Social engineering targets people through a variety of psychological manipulations and takes advantage of common human behaviors to perform actions that an attacker can exploit. These kinds of confidence tricks can be a key source of information gathering, fraud, or unauthorized access to sensitive information.

Social engineering is behind many of today’s most common security risks, such as business email compromises, phishing, ransomware, malware, credential theft, and more. For more information:

SQL Injection/Cross-Site Scripting Attack

A code flaw or vulnerability in an application or service can enable attackers to insert nefarious SQL statements into an entry field for execution, which can spoof identity, cause repudiation issues, tamper with or destroy data, or elevate privileges. For more information:

Cross-site scripting is similar in that it allows an attacker to inject client-side scripts into web pages to exploit the system. For more information:


Token/Token-Based Authentication

This is a physical device that is used to access restricted information and services on a network or cloud-based service. This electronic key often includes digital signature, biometric data, and cryptographic keys for accessing sensitive personal or business data. For more information:


Virtual Patch

In cases where there are known vulnerabilities such as SQL injection, cross-site scripting, and more, vendors may release a patch that is not immediately available, or that the customer has not yet deployed. In these cases of unpatched applications/services, it is possible to use in-line technology such as a web application firewall (WAF) to perform packet inspection and detection of techniques designed to target the vulnerability, then block those IP-based sessions from reaching the exposed system.

However, virtual patching is simply a Band-Aid approach to resolving the underlying problem. If car keys are stuck in the ignition, the owner has an inherent vulnerability that can lead to the car being stolen. The patch would be to secure the ignition. The virtual patch locks the driver’s door. As in IT security, an attacker can eventually find another way in, perhaps another door or open window, to exploit the vulnerability, so virtual patching should never be viewed as a solution over patching the source code. For more information:


Web Application Firewall (WAF)

A WAF is a filter that sits in front of your application and inspects incoming traffic for potential threats and malicious activity. It is one of the most common means of protecting against attacks at the application layer. For more information: