Whether you are new to a career in cybersecurity, are an industry veteran or just need to understand a little about it for your business, it helps to understand the meanings of common vulnerability management words and phrases. Welcome to our A-Z Glossary of Vulnerability Management Terms.
Bookmark this page and if you ever find that a term is missing, let us know.
This is a type of software that performs a task.
In vulnerability management, acceptance is the concept of accepting a risk as one that doesn’t need to be addressed, at least for the time being.
A number of vulnerabilities scanners have Agent-based scanning. This is where a software agent sits on the hosts and performs scanning that has access to the underlying operating system. This is generally considered to be the best approach to modern scanning due to the reduction in false positives.
In vulnerability management, an asset is typically a host/server/IP etc.
This is a list of all the assets within an organisation.
This is a disclosure of confidential information.
Otherwise known as “Common Vulnerabilities and Exposures”, this is a list of records for publicly known cybersecurity vulnerabilities.
The cloud refers to servers that are accessible over the internet that provide availability of resources such as data storage and processing.
In the context of vulnerability management, compliance is a typical reason for organisations to conduct vulnerability scans e.g. to adhere to a particular compliance framework.
Also known as a Configuration Management Database, this is used to store information about the IT environment e.g the asset inventory and their relationships.
This is a method that combines multiple approaches to increase the velocity at which applications and services are delivered.
This is dev ops with security added into the approach.
Also known as Denial of Service, this is where an attacker’s aim is to make a service, machine or resource unavailable to its users.
This is similar to DoS, except the attack uses multiple machines/computers to cause unavailability.
An exploit is the method (typically a script/tool) used in an attack to take advantage of a flaw (vulnerability).
Exfiltration is where an attacker transfers data from an application or network to their own system post-exploitation.
This is protection that filters traffic coming in and out of a network.
A false positive in vulnerability management is when a scanner identifies a vulnerability that doesn’t really exist.
Written in full, the General Data Protection Regulation is a European law that mandates a level of data protection and privacy within the European Union and European Economic Area.
A hostname is a name or label that is used to identify a device connected to a network.
This is an individual who uses their skills to make something do what it was never supposed to do. It is also incorrectly utilised as a label for a malicious threat actor.
Infrastructure is a noun often used to refer to the IT network within an organisation.
This is a unique address that identifies a device on a network.
Also known as an Information Security Management System, this is a set of policies and procedures used to manage the information security efforts of an organisation.
An incident is a breach of a security policy that impacts confidentiality, integrity or availability.
This is the actions taken in response to an incident. Often companies will have an incident response plan in place to put into action when necessary.
Otherwise known as Key Performance Indicators, these are measurable targets that a company can set and monitor to track success/progress over time.
This is the oursourcing of a range of processes and functions in order to make cost savings and improve operations.
A managed service provider, or MSP, offers outsourced continuous IT support and services such as the management of a company’s IT infrastructure, technical support, software as a service and more.
Also known as a Managed Security Service Provider, an MSSP is an outsourced provider of security services such as intrusion detection, vulnerability scanning and virtual private network. In using one, a cybersecurity team can typically make cost savings and fill any gaps in their knowledge or capabilities.
This is a vulnerability scanner which RankedRight supports. It was created by Tenable and forked from the opensource scanner OpenVAS.
Otherwise known as the National Institute of Standards and Technology, it is a US government agency that has created a number of standards and references in the cyber security industry, notably NIST SP 800-53.
This is an abbreviation of on-premise and is where software or hardware is run on the premises of an organisation as opposed to in the cloud.
This is an open source security scanner that is now owned and maintained by Greenbone GMbH.
An abbreviation of Operational Technology, this is hardware and software used to detect, monitor or cause changes to devices or processes, typically in order to protect systems and networks from attack. It includes Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS).
This is the act of ranking things in a particular order based on a specific method of priority. In the case of cyber security it is typically used to describe ordering vulnerabilities. RankedRight is an automated platform which prioritises vulnerabilities based on the rules the user has put in place. This means an information security team can spend their time tackling the most critical or high risk issues and keep their company safe.
This is the installation of a patch or fix from a vendor that has a bug/vulnerability.
Otherwise known as the Payment Card Industry Data Security Standard, it is an information security standard which organisations that take card payments must adhere to.
While vulnerability scanning is typically seen as trying to actively identify if a vulnerability is present by performing some kind of rule based test, passive scanning is when no test is performed and instead network traffic or logs are assessed to infer if a vulnerability is potentially present. This type of scanning is typically seen in high risk environments such as an OT environment or in places where an active scan could negatively impact the performance e.g. payment processing in financial institutions.
This is the term used for the processes and procedures around patching assets within an environment. Patching is to patch management like vulnerability scanning is to vulnerability management.
This is a company that has a vulnerability scanning platform that RankedRight supports (Qualys VM).
While patching is applying a fix or patch, remediation is a little more holistic in the sense that it may be applying some kind of compensating control e.g. network segregation.
This is a company that has a vulnerability scanning platform that RankedRight supports (Nexpose/InsightVM).
This is the term used for the act of running an automated tool to identify security vulnerabilities.
Otherwise known as Service Level Agreements, this is a measurable commitment typically made by a service provider. SLAs can also be committed within an organisation as part of a policy.
This is a company that has a vulnerability scanning platform that RankedRight supports (Nessus/Tenable.io).
This is when an issue or log is created for a particular problem. In vulnerability management tickets are typically made when vulnerabilities are to be remediated and to log actions that are being taken.
In vulnerability management, this is an alternative term for prioritisation whereby an individual or team sorts through new vulnerabilities to identify which are critical and which can be accepted. For more information on manual triage, read our guide.
This is a weakness or flaw that could be leveraged by an attack (exploited) in order to impact the confidentiality, integrity or availability of the vulnerable system or asset.
This is the process or procedures around managing vulnerabilities within an environment. It typically includes regular vulnerability scanning and a remediation process.
This is an application that runs on a web server and is accessed via a web browser.
A severe threat, this is the name given to a vulnerability that is unknown and has no known way of mitigating directly.
We intend to keep adding terms to this glossary so if you ever find that a term you need to understand is missing, let us know.