The A-Z Glossary of Vulnerability Management Terms

The A-Z Glossary of Vulnerability Management Terms

Whether you are new to a career in cybersecurity, are an industry veteran or just need to understand a little about it for your business, it helps to understand the meanings of common vulnerability management words and phrases. Welcome to our A-Z Glossary of Vulnerability Management Terms.

Bookmark this page and if you ever find that a term is missing, let us know.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

Application

This is a type of software that performs a task.  

Acceptance

In vulnerability management, acceptance is the concept of accepting a risk as one that doesn’t need to be addressed, at least for the time being.

Agent-based

A number of vulnerabilities scanners have Agent-based scanning. This is where a software agent sits on the hosts and performs scanning that has access to the underlying operating system. This is generally considered to be the best approach to modern scanning due to the reduction in false positives.  

Asset

In vulnerability management, an asset is typically a host/server/IP etc.

Asset Inventory

This is a list of all the assets within an organisation.

B

Breach

This is a disclosure of confidential information.

C

CVE

Otherwise known as “Common Vulnerabilities and Exposures”, this is a list of records for publicly known cybersecurity vulnerabilities.

Cloud

The cloud refers to servers that are accessible over the internet that provide availability of resources such as data storage and processing.

Compliance

In the context of vulnerability management, compliance is a typical reason for organisations to conduct vulnerability scans e.g. to adhere to a particular compliance framework.

CMDB

Also known as a Configuration Management Database, this is used to store information about the IT environment e.g the asset inventory and their relationships.

CVSS

The Common Vulnerability Scoring System is a cyber industry standard vulnerability scoring method.  To learn more about this method vs others, check out our guide to vulnerability prioritisation.

D

Dev Ops

This is a method that combines multiple approaches to increase the velocity at which applications and services are delivered.

Dev Sec Ops

This is dev ops with security added into the approach.  

DoS

Also known as Denial of Service, this is where an attacker’s aim is to make a service, machine or resource unavailable to its users.

DDoS

This is similar to DoS, except the attack uses multiple machines/computers to cause unavailability.

E

Exploit

An exploit is the method (typically a script/tool) used in an attack to take advantage of a flaw (vulnerability).

Exfiltrate

Exfiltration is where an attacker transfers data from an application or network to their own system post-exploitation.

F  

Firewall

This is protection that filters traffic coming in and out of a network.

False Positive

A false positive in vulnerability management is when a scanner identifies a vulnerability that doesn’t really exist.

G

GDPR

Written in full, the General Data Protection Regulation is a European law that mandates a level of data protection and privacy within the European Union and European Economic Area.

H

Hostname

A hostname is a name or label that is used to identify a device connected to a network.

Hacker

This is an individual who uses their skills to make something do what it was never supposed to do. It is also incorrectly utilised as a label for a malicious threat actor.

I

Infrastructure

Infrastructure is a noun often used to refer to the IT network within an organisation.

IP address

This is a unique address that identifies a device on a network.

ISMS

Also known as an Information Security Management System, this is a set of policies and procedures used to manage the information security efforts of an organisation.

Incident

An incident is a breach of a security policy that impacts confidentiality, integrity or availability.

Incident Response

This is the actions taken in response to an incident. Often companies will have an incident response plan in place to put into action when necessary.

K

KPIs

Otherwise known as Key Performance Indicators, these are measurable targets that a company can set and monitor to track success/progress over time.

M

Managed Service

This is the oursourcing of a range of processes and functions in order to make cost savings and improve operations.  

MSP

A managed service provider, or MSP, offers outsourced continuous IT support and services such as the management of a company’s IT infrastructure, technical support, software as a service and more.  

MSSP

Also known as a Managed Security Service Provider, an MSSP is an outsourced provider of security services such as intrusion detection, vulnerability scanning and virtual private network. In using one, a cybersecurity team can typically make cost savings and fill any gaps in their knowledge or capabilities.  

N

Nessus

This is a vulnerability scanner which RankedRight supports. It was created by Tenable and forked from the opensource scanner OpenVAS.

Nist

Otherwise known as the National Institute of Standards and Technology, it is a US government agency that has created a number of standards and references in the cyber security industry, notably NIST SP 800-53.

O

On-prem

This is an abbreviation of on-premise and is where software or hardware is run on the premises of an organisation as opposed to in the cloud.

OpenVAS

This is an open source security scanner that is now owned and maintained by Greenbone GMbH.

OT

An abbreviation of Operational Technology, this is hardware and software used to detect, monitor or cause changes to devices or processes, typically in order to protect systems and networks from attack. It includes Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS).

P

Prioritisation

This is the act of ranking things in a particular order based on a specific method of priority. In the case of cyber security it is typically used to describe ordering vulnerabilities. RankedRight is an automated platform which prioritises vulnerabilities based on the rules the user has put in place. This means an information security team can spend their time tackling the most critical or high risk issues and keep their company safe.  

Patching

This is the installation of a patch or fix from a vendor that has a bug/vulnerability.

PCI DSS

Otherwise known as the Payment Card Industry Data Security Standard, it is an information security standard which organisations that take card payments must adhere to.

Passive Scanning

While vulnerability scanning is typically seen as trying to actively identify if a vulnerability is present by performing some kind of rule based test, passive scanning is when no test is performed and instead network traffic or logs are assessed to infer if a vulnerability is potentially present. This type of scanning is typically seen in high risk environments such as an OT environment or in places where an active scan could negatively impact the performance e.g. payment processing in financial institutions.

Patch Management

This is the term used for the processes and procedures around patching assets within an environment. Patching is to patch management like vulnerability scanning is to vulnerability management.

Q

Qualys

This is a company that has a vulnerability scanning platform that RankedRight supports (Qualys VM).

R

Remediation

While patching is applying a fix or patch, remediation is a little more holistic in the sense that it may be applying some kind of compensating control e.g. network segregation.

Rapid7

This is a company that has a vulnerability scanning platform that RankedRight supports (Nexpose/InsightVM).

S

Scanning

This is the term used for the act of running an automated tool to identify security vulnerabilities.

SLAs

Otherwise known as Service Level Agreements, this is a measurable commitment typically made by a service provider. SLAs can also be committed within an organisation as part of a policy.  

T

Tenable

This is a company that has a vulnerability scanning platform that RankedRight supports (Nessus/Tenable.io).

Ticketing

This is when an issue or log is created for a particular problem. In vulnerability management tickets are typically made when vulnerabilities are to be remediated and to log actions that are being taken.

Triage

In vulnerability management, this is an alternative term for prioritisation whereby an individual or team sorts through new vulnerabilities to identify which are critical and which can be accepted. For more information on manual triage, read our guide.

V

Vulnerability

This is a weakness or flaw that could be leveraged by an attack (exploited) in order to impact the confidentiality, integrity or availability of the vulnerable system or asset.

Vulnerability Management

This is the process or procedures around managing vulnerabilities within an environment. It typically includes regular vulnerability scanning and a remediation process.

W

Web application

This is an application that runs on a web server and is accessed via a web browser.

Z

Zero Day

A severe threat, this is the name given to a vulnerability that is unknown and has no known way of mitigating directly.  

We intend to keep adding terms to this glossary so if you ever find that a term you need to understand is missing, let us know.