CDA Cybersecurity Glossary: Fundamentals (Batch 1)

Cybersecurity has a language problem. The field runs on acronyms, vendor jargon, and technical shorthand that insiders take for granted but that leaves most people feeling lost before the conversation starts. This glossary cuts through that. Each entry answers the single most important question someone new to the topic actually asks: "What is this thing, and why does it matter?" No prerequisites required. No condescension offered. Just clean, honest explanations grounded in how the Cyber Defense Army's Planetary Defense Model approaches each concept.

---

What Is a Firewall?

PDM Domain: Security Posture and Hygiene (SPH)

A firewall is a security control that sits between two networks (most commonly between the internet and an internal network) and decides which traffic is allowed to pass through and which is blocked. Think of it as a bouncer at the door: every packet of data that wants to enter or leave presents itself at the firewall, which checks it against a ruleset and either lets it in or turns it away. The core job has not changed in 30 years. The sophistication of how that decision gets made absolutely has.

The earliest firewalls used packet filtering, inspecting individual packets for things like source IP address, destination IP address, and port number. If the packet matched an allowed rule, it passed. This approach is fast but shallow, as it has no memory of previous packets and no understanding of what a conversation between two systems actually looks like. Stateful inspection improved on this by tracking the state of active connections, so the firewall could tell the difference between a legitimate reply to an outbound request and an unsolicited inbound connection pretending to be one. Next-generation firewalls (NGFWs) go further still, inspecting the actual content of traffic (deep packet inspection), applying application-layer awareness, integrating threat intelligence feeds, and enforcing user-identity-based policies rather than just IP-based ones.

The important caveat: firewalls are necessary but not sufficient. The old model of "hard shell, soft interior" where a firewall protects a trusted network perimeter has collapsed. Cloud workloads, remote employees, SaaS applications, and mobile devices have dissolved the perimeter entirely. A firewall at the edge of a corporate network provides zero protection for a laptop connecting to a cloud application from a coffee shop. This is one of the central reasons the security industry has shifted toward zero trust architectures, where trust is never assumed based on network location. The firewall remains a critical component of a mature security posture, but it is one layer in a defense-in-depth strategy, not the strategy itself. For a complete technical deep-dive, see Firewall Architecture and Management.

---

What Is Encryption?

PDM Domain: Data Protection and Sovereignty (DPS)

Encryption is the process of converting readable information (called plaintext) into an unreadable scrambled form (called ciphertext) using a mathematical algorithm and a cryptographic key. Only someone who possesses the correct key can reverse the process and read the original data. Without the key, the ciphertext is computationally useless, even if an attacker captures every byte of it. This is not obscurity. It is mathematics.

There are two fundamental categories of encryption. Symmetric encryption uses the same key to encrypt and decrypt data. It is fast and efficient, making it ideal for encrypting large volumes of data at rest. AES-256 (Advanced Encryption Standard with a 256-bit key) is the current gold standard and is used by the U.S. government to protect classified information. Asymmetric encryption (also called public-key cryptography) uses a mathematically linked pair of keys: a public key that anyone can use to encrypt data, and a private key that only the owner holds for decryption. This solves the key distribution problem (how do you securely share a secret key with someone you have never met?) and is what makes secure communication over the internet possible. HTTPS, email signing, and digital certificates all rely on asymmetric encryption.

The principle that drives CDA's Sovereign Data Protocol (SDP) is this: encrypt the data, not just the channel. Many organizations encrypt data in transit (the connection between your browser and a website) but leave data unencrypted at rest in databases, backups, and file stores. When those systems are breached, which they eventually are, the data is immediately readable. Strong encryption at the data layer means that even a successful breach yields nothing actionable. Encryption is the last line of defense: when every other control fails, it is what keeps stolen data worthless. For a complete technical deep-dive, see Encryption at Rest and in Transit.

---

What Is Malware?

PDM Domain: Threat Intelligence and Defense (TID)

Malware is a catch-all term for any software intentionally designed to damage, disrupt, gain unauthorized access to, or extract data from a system or network. The word is a contraction of "malicious software." It is not a specific technical category but a broad label for a family of threats that vary significantly in how they work, what they target, and who deploys them.

The major categories include: viruses (code that attaches to legitimate files and replicates when those files are executed), worms (self-replicating malware that spreads across networks without needing a host file), trojans (malware disguised as legitimate software that tricks users into installing it), ransomware (encrypts victim files and demands payment for the decryption key), spyware (silently collects information such as keystrokes, screenshots, and browsing history), adware (delivers unwanted advertisements and often bundles with spyware), rootkits (malware that hides deep in the operating system to avoid detection and maintain persistent access), and remote access trojans or RATs (give an attacker full remote control of an infected system).

Understanding malware's trajectory matters as much as knowing the taxonomy. In the early internet era, malware was largely created by hobbyists and researchers, more for notoriety than for financial gain. By the mid-2000s, organized criminal enterprises had recognized the profit potential: banking trojans stealing credentials, botnets renting out infected machines for spam and DDoS attacks, and adware generating fraudulent ad revenue at scale. Today, malware is also a nation-state weapon. Stuxnet, which destroyed Iranian nuclear centrifuges without firing a shot, demonstrated that malicious software could produce real-world physical destruction. The stakes of malware defense have never been higher. For a complete technical deep-dive, see Ransomware and Fileless Malware.

---

What Is a VPN?

PDM Domain: Security Posture and Hygiene (SPH)

A VPN, or Virtual Private Network, creates an encrypted tunnel between a user's device and a destination network, making it appear as though the user is connecting from the network's physical location rather than their own. For an employee working from home connecting to corporate systems, a VPN extends the corporate network to their laptop as if they were sitting in the office. All traffic between the device and the corporate gateway travels through this encrypted tunnel, shielded from interception on whatever network the employee is using.

The technology works through tunneling protocols, which wrap network traffic in an additional encrypted layer. Common protocols include OpenVPN (open-source, highly configurable, widely trusted), WireGuard (modern, fast, with a minimal codebase that is easier to audit for security flaws), and IKEv2/IPSec (a mature, stable protocol common in enterprise environments). Consumer VPNs marketed to individuals for privacy use the same underlying technology but serve a different purpose: they route all internet traffic through the VPN provider's servers, masking browsing activity from an ISP and changing the apparent geographic location of the user. These are entirely separate products from corporate VPNs and carry their own trust considerations, since the VPN provider can see all traffic that the ISP previously could.

The enterprise VPN has a serious problem: it has become one of the most-exploited technologies in modern cybersecurity. Vulnerabilities in products from Ivanti, Pulse Secure, Fortinet, and Cisco have been chained together by ransomware groups and nation-state actors to gain initial access to corporate networks at scale. The architectural flaw is inherent: VPNs grant broad network access to any authenticated user, meaning a stolen credential or compromised device unlocks much more than it should. This has accelerated enterprise adoption of Zero Trust Network Access (ZTNA), which provides application-level access rather than network-level access, so a compromised credential can only reach the specific resources it was authorized for, not the entire network. For a complete technical deep-dive, see Secure Remote Access and SASE (Secure Access Service Edge).

---

What Is Two-Factor Authentication?

PDM Domain: Identity Access and Trust (IAT)

Two-factor authentication (2FA) is a method of verifying a user's identity by requiring two separate forms of proof before granting access. The underlying logic is simple: if an attacker steals your password, they still cannot log in without also possessing the second factor. A single credential is a single point of failure. Two factors in different categories are significantly harder to compromise simultaneously.

Security practitioners organize authentication factors into three categories. Something you know is typically a password or PIN. Something you have is a physical or digital token: a hardware security key, a smartphone running an authenticator app, or a one-time code sent via SMS. Something you are refers to biometrics: fingerprint, face recognition, or retina scan. True two-factor authentication combines factors from two different categories, not just two instances of the same one (two passwords, for example, are not 2FA). In practice, "multi-factor authentication" (MFA) is the term used when three or more factors are combined, though the two terms are frequently used interchangeably in everyday conversation.

Not all 2FA methods carry equal security weight. SMS-based one-time passwords (OTP) are the weakest common option: SIM-swapping attacks, SS7 protocol vulnerabilities, and social engineering of mobile carrier support staff have all been used to intercept SMS codes. Time-based OTP (TOTP) apps like Google Authenticator or Authy generate codes locally on the device and are meaningfully stronger. Push notification-based authentication, where a user approves a login request by tapping a button on their phone, introduced a new attack surface: MFA fatigue, in which an attacker with valid credentials sends repeated authentication push requests until an exhausted or confused user taps "approve." Hardware security keys (FIDO2/WebAuthn standard) are the strongest available option for most users, as they are cryptographically bound to the specific website and are immune to phishing because they verify the site's identity as part of the authentication process. For a complete technical deep-dive, see Multi-Factor Authentication (MFA) and FIDO2 and WebAuthn: Passwordless Authentication.

---

What Is a Data Breach?

PDM Domain: Data Protection and Sovereignty (DPS)

A data breach is a security incident in which unauthorized individuals successfully access, copy, steal, or expose sensitive, confidential, or protected information. The key word is "unauthorized." A data breach is a confirmed event, not a suspicion. This distinguishes it from a security incident (a broader term covering any event with the potential for harm) or a near-miss (where a vulnerability was discovered but not exploited). The breach notification frameworks that govern organizational response are very specific about this distinction, because the legal and regulatory consequences differ substantially.

The regulatory timeline requirements for breach notification vary by jurisdiction and sector. Under GDPR, organizations must notify their supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms. HIPAA gives covered healthcare entities up to 60 days to notify affected individuals and the Department of Health and Human Services, though this has been widely criticized as inadequate given how quickly breach data is monetized on criminal markets. The U.S. SEC now requires publicly traded companies to disclose material cybersecurity incidents within four business days of determining that a breach is material, a rule that took effect in late 2023. The data most targeted in breaches reflects what is most monetizable: personally identifiable information (PII) for identity fraud, protected health information (PHI) for insurance fraud, payment card data for direct financial theft, credentials for account takeovers and further intrusion, and intellectual property for competitive or national security advantage.

The financial stakes are significant and rising. The IBM Cost of a Data Breach Report for 2023 put the average total cost of a data breach at $4.45 million, a figure that includes detection and escalation costs, notification costs, post-breach response, and lost business. Healthcare breaches are consistently the most expensive sector, averaging over $10 million per incident. These numbers make clear that investing in prevention is not a budget line item to optimize away. For a complete technical deep-dive, see Data Breach Investigation and Response.

---

What Is Ransomware?

PDM Domain: Threat Intelligence and Defense (TID)

Ransomware is a category of malware that encrypts a victim's files, rendering them inaccessible, and then demands a ransom payment (typically in cryptocurrency) in exchange for the decryption key needed to restore access. The core mechanism is straightforward: once ransomware executes on a system, it enumerates files, encrypts them using strong cryptographic algorithms, deletes the originals, and leaves behind a ransom note with payment instructions and a deadline. Before strong encryption was widely available, earlier versions of ransomware used weak or home-grown cryptography that researchers could often crack. Modern ransomware uses AES-256 for file encryption and RSA-2048 or higher for key protection, making decryption without the attacker's key computationally infeasible.

The ransomware business model has evolved aggressively. Early ransomware targeted individuals and demanded modest sums. Modern ransomware groups operate as sophisticated criminal enterprises targeting large organizations with multimillion-dollar demands. Double extortion emerged as a dominant tactic around 2019: attackers not only encrypt files but exfiltrate data first, then threaten to publish it on a leak site if the ransom is not paid. This eliminates the "we have backups, we don't need to pay" response. Triple extortion adds a third lever, typically a distributed denial-of-service (DDoS) attack against the victim's infrastructure to amplify pressure. Ransomware-as-a-Service (RaaS) has further industrialized the threat, allowing non-technical criminals to license ransomware tooling from developers in exchange for a share of the proceeds. This has dramatically lowered the barrier to entry and increased attack volume.

The primary defense against ransomware encryption is tested, offline backups. If clean backups exist that the ransomware could not reach (air-gapped, immutable, or stored off-network), recovery is possible without paying. No amount of endpoint protection guarantees that ransomware will never execute. The backup and recovery strategy is what determines whether a ransomware incident becomes a multi-million-dollar catastrophe or a measured operational disruption. For a complete technical deep-dive, see Ransomware and Ransomware Response Playbook.

---

What Is Phishing?

PDM Domain: Threat Intelligence and Defense (TID)

Phishing is a social engineering attack that uses deceptive communication to manipulate people into taking actions they would not take if they understood what was actually happening: revealing credentials, clicking on malicious links, opening infected attachments, or transferring funds to attacker-controlled accounts. The name is a deliberate misspelling of "fishing," capturing the idea of baiting a hook and waiting for a victim to bite. Unlike technical exploits that attack software vulnerabilities, phishing attacks the human layer, exploiting trust, urgency, authority, and habit.

Mass phishing (sometimes called spray-and-pray) casts the widest net, sending identical or near-identical messages to millions of addresses hoping a small percentage will engage. Spear phishing is targeted, using research about a specific individual or organization to craft a convincing personalized message. Whaling targets high-value individuals, typically executives, whose access or authority makes them particularly useful to compromise. Smishing uses SMS text messages rather than email. Vishing uses voice calls, with attackers impersonating bank fraud departments, IT helpdesks, or government agencies. Business Email Compromise (BEC) is a particularly costly phishing variant in which attackers impersonate executives or vendors to trick employees into authorizing fraudulent wire transfers or changing payment account details. The FBI's Internet Crime Complaint Center consistently reports BEC as the highest-cost cybercrime category, with annual losses in the billions of dollars.

The persistence of phishing as the number one initial access technique, despite decades of awareness training and increasingly sophisticated technical defenses, reflects something important about the attack surface. No software patch fixes human psychology. Phishing succeeds because it exploits cognitive shortcuts that are genuinely useful in most contexts: trust, urgency, deference to authority, and the desire to be helpful. Technical controls (email authentication standards like SPF, DKIM, and DMARC; browser-based phishing detection; attachment sandboxing) reduce the volume of phishing that reaches users but cannot eliminate it. The defense strategy requires both layers. For a complete technical deep-dive, see Phishing and Social Engineering and Business Email Compromise (BEC) Deep-Dive.

---

What Is a SOC?

PDM Domain: Threat Intelligence and Defense (TID)

A Security Operations Center (SOC) is the centralized function within an organization responsible for continuously monitoring, detecting, analyzing, and responding to cybersecurity threats. The SOC is where security telemetry from across the organization converges: logs from firewalls, endpoints, identity systems, cloud platforms, and applications all flow in, and analysts work to distinguish genuine threats from the background noise of normal operations. If the organization is under active attack, the SOC is where that attack is first detected and from which the response is coordinated.

SOCs operate across several models. An in-house SOC is built and staffed by the organization itself, which provides the most direct control and the deepest integration with internal systems, but requires significant ongoing investment in talent (which is both expensive and in chronic short supply) and technology. Outsourced SOC capabilities, typically delivered through Managed Detection and Response (MDR) providers, shift the staffing and tooling burden to a third party in exchange for service fees. Hybrid models are increasingly common, where an internal security team handles first-party context and decision-making while an MDR provider handles 24/7 monitoring coverage. The analyst structure inside a SOC is typically tiered: Tier 1 analysts handle alert triage and initial investigation; Tier 2 analysts handle deeper investigation of escalated alerts; Tier 3 analysts handle advanced threat hunting, forensics, and the most complex incidents.

The central operational challenge in any SOC is alert fatigue. Modern security tooling generates enormous volumes of alerts, the large majority of which are false positives or low-priority noise. Analysts who spend their shifts manually reviewing hundreds of trivial alerts become desensitized and miss the real threats buried in the volume. This has driven investment in SOAR (Security Orchestration, Automation, and Response) platforms that automate repetitive triage tasks, SIEM (Security Information and Event Management) platforms for log aggregation and correlation, and EDR (Endpoint Detection and Response) platforms for deep visibility into host behavior. The goal is to give analysts the time and context to focus on decisions that require human judgment. For a complete technical deep-dive, see SOC Design and Architecture.

---

What Is Zero Trust?

PDM Domain: Identity Access and Trust (IAT)

Zero Trust is a security model built on a single foundational principle: never trust, always verify. No user, device, or network connection is trusted by default, regardless of whether it originates from inside the corporate network or outside it. Every access request must be authenticated, authorized, and continuously validated against security policy before access is granted and while that access continues. Trust is never assumed. It is earned, scoped, and time-limited.

The concept was formally introduced by John Kindervag at Forrester Research in 2010, in response to what he identified as the fundamental flaw in the prevailing network security model. That model, sometimes called "castle and moat," treats everything inside the network perimeter as trusted and everything outside as hostile. The problem is that this perimeter no longer means what it once did. Cloud computing, SaaS applications, mobile devices, and remote work have placed both data and users outside traditional network boundaries. A VPN connects a remote employee to the corporate network, but does nothing to prevent lateral movement if that employee's device is compromised. Once inside the perimeter, attackers operate with relative freedom. Major breaches, including the Target point-of-sale compromise, the SolarWinds supply chain attack, and numerous others, demonstrated exactly how quickly an initial foothold inside the perimeter translates into catastrophic access.

Zero Trust addresses this by eliminating the concept of a trusted perimeter entirely. The five commonly cited pillars are: identity (every user must be verified, typically with strong MFA, before accessing any resource), devices (every device must be assessed for health and compliance before being permitted access), networks (micro-segmentation limits lateral movement by ensuring that compromise of one segment does not grant access to others), applications (access is granted at the application level, not the network level), and data (data is classified and protected based on sensitivity, with access governed by least-privilege principles). CDA's Zero Possession Architecture (ZPA) extends Zero Trust into a rigorous implementation philosophy: trust nothing, possess nothing, verify everything. The "possess nothing" dimension addresses the risk of credential theft by designing systems that minimize what credentials can access and for how long. For a complete technical deep-dive, see Zero Trust Architecture.