A Primer on Common Cybersecurity Acronyms, Part 1

Cybersecurity, like any field, is rife with its own terminology, abbreviations, and unique definitions. While the jargon isn't new ("cybersecurity" as a discipline has existed since 1987 and has been in the dictionary since 1989), its users remained largely within the IT field until just a few years ago. With the 2021 publication of Executive Order 14028: "Improving the Nation's Cybersecurity," a more diverse audience of industry professionals have been exposed to the language of cybersecurity. This series is an attempt to help non-IT professionals learn and understand this language.

Part 1: Vulnerability Identification

The language of cybersecurity makes frequent reference to threats. A threat is any potential event or attack that exposes digital or digital-adjacent assets, such as information, networks, and peripherals, to unauthorized access, damage, tampering, or disruption. Threats exploit vulnerabilities in software architecture or implementation to adversely impact data confidentiality, integrity, or availability (known as the CIA triad). Therefore, resources that can help identify threats and vulnerabilities are essential for developing countermeasures that protect digital infrastructure and assets.

The first step in threat modeling is identifying potential vulnerabilities that may exist in developed systems. There are three frequently referenced databases for sourcing this information:

• CWE - Common Weakness Enumeration

CWE lists common weaknesses in software, hardware, and IT design along with information on exploitability and potential mitigation strategies. It is a categorization scheme for poor design practices, and can be used as a generalized coding standard to ensure common weaknesses are designed out of the system under development, so that they don't become vulnerabilities.

• CAPEC - Common Attack Pattern Enumeration and Classification

CAPEC is a taxonomy of known attack patterns and can be used to employ defensive coding or policy implementation to proactively guard against bad actors. This classification approaches identification from the outside in, uncovering potential vulnerabilities in the same ways an attacker might try to gain unauthorized access.

• CVE - Common Vulnerabilities and Exposures

Unlike CWE and CAPEC above, CVE is a registry of real vulnerabilities extant in production systems and components, disclosed by the respective developer or manufacturer of these products. This helps security teams at downstream organizations stay on top of emerging threats and develop mitigations to protect their own systems from exploitation.

Together, CWE, CAPEC, and CVE can be used by organizations to address known and emergent security threats by implementing secure design, guarding against common attack paths, and maintaining awareness of, and responsiveness to, extant vulnerabilities within their software supply chains.

In the next part, we'll expand our ability to identify unique product-specific threats by learning about common threat modeling methods.

#Cybersecurity #CWE #CAPEC #CVE #SPDF #ThreatModeling #CybersecurityLiteracy #CybersecurityForEveryone