- Information
- AI Chat
Bishop Fox Cybersecurity Style Guide V1
Security Concepts (SEC 110)
Stanly Community College
Students also viewed
Preview text
--- ---
Bishop Fox Contact Information: +1 (480) 621- style@bishopfox 8240 S. Kyrene Road Suite A- Tempe, AZ 85284
Contributing Technical Editors: Brianne Hughes, Erin Kozak, Lindsay Lelivelt, Catherine Lu, Amanda Owens, Sarah Owens
We want to thank all of our Bishop Fox consultants, especially Dan Petro, for reviewing and improving the guide’s technical content.
WELCOME!
We are Bishop Fox, a global information security consulting fir m based in the United States.
Welcome to our cybersecurity style guide. We compiled this guide to keep ourselves
technically accurate and up to date in our reports, presentations, and social media
interactions. Now we want to share our current standards with you.
This guide is designed for security researchers. It provides advice on which terms to use in
reports, how they should look in the middle of a sentence, and how to pronounce them out
loud. Since the terms are listed alphabetically, you’ll find serious usage advice right next to
playful entries about internet culture.
Each term in the guide earned its place by being unintuitive in some way:
- It may look like a non-technical word (execute, pickling, shell),
- It may be uniquely written (BeEF, LaTeX, RESTful),
- It may not follow a clear pattern (web page vs. website),
- It may have a very specific technical distinction (invalidated vs. unvalidated),
- Or its meaning may change depending on the context (crypto, PoC, red teaming).
Language is always evolving, and those changes are especially visible in an innovative field
like information security. This guide aspires to record those changes in vocabulary and
encourage researchers to use language intentionally as the digital lexicon continues to
grow. Learn more about what guides our style choices in Appendix A.
This is a work in progress. We intend to revise this list in the future and share subsequent
versions with the public. Please contact style@bishopfox with ideas about new
entries or improvements to existing entries.
NOTE
This guide is a starting point for further research into technical terms; it is not a
comprehensive dictionary. We provide usage notes about capitalization, fonts, and
pronunciation where needed, but not every term here is defined. You can find detailed
technical definitions in the external resources listed in Appendix B.
Advice on Technical Formatting
We use two fonts. Most of our text appears in Open Sans (this sans serif font). We refer to
Open Sans in the style guide as the normal font. The secondary font is Source Code Pro, a
monospace (fixed-width) font that we refer to throughout this guide as the tech font.
The tech font makes technical terms stand out to the reader when they appear in and out
of quoted code. We use the tech font for several reasons in several ways. Even with the
chart below, we’re still finding gray areas. Here is an overview of how we use these fonts:
Normal Font Tech Font Titles of documents and file types Bishop Fox Security Style Guide, a PDF file
Full names of documents and files Security_Style_Guide
Error messages and security questions “Please enter a valid user ID.”
File paths server/web/directory/
Names of organizations, companies, and teams DEF CON, .NET, Tor, assessment team
Email addresses style@bishopfox
Names of products and their versions Ethernet, Steam, Ubuntu 17.
Usernames and passwords @bishopfox, admin:admin, password
URIs, URNs, and URLs as clickable links bishopfox/news/
References to URIs, URNs, and URLs data:, bishopfox/ [variable]
Line numbers and ports by themselves “On line 42 of the code...”, port 80, port 443
IP addresses (with or without ports) 192.168.1, 192.168.1:
Types of fields, headers, parameters, etc. data element, Content-T ype header
Names of fields, headers, parameters, etc. C: drive, Secure flag, url parameter
Types of requests GET request, pull request, PUT request
Quoted code “Block [? ] characters”, “missing userID=42”
Reference numbers, standards, and vuln IDs CVE-2014-6271, MS15-034, RFC 1918
Code excerpts
<b>Hello World!</b> 3. Go to 1
Terms that use the tech font appear in that style everywhere in reports outside of headings
(including bullet points and figure captions).
THE CYBERSECURITY STYLE GUIDE
A-Z
!
The exclamation point or bang.
@
The at sign. Related: email , handle , usernames
nullThe pound sign or hashtag. Only called hashtag when tagging something. This character and [♯] are sometimes used interchangeably and are pronounced as “sharp” in programming language names. Related: C♯ , characters , numbers , tweet
/
Slash. Avoid using the slash to compare two things outside of set phrases like 24/7, and/or, client/server, h/t, and TCP/IP. Related: mm/dd/yyyy , s/o , SSL/TLS
\
Backslash. Related: carriage return character , \n
'
The tic character. Not an apostrophe.
0- day (n. or adj.)
A “zero-day” or “oh-day” finding. In formal writing, it’s better to use zero-day finding, previously undisclosed vulnerability, or publicly undisclosed vulnerability.
1Password
Password management software.
2FA or TFA
Two-factor authentication. Related: MFA , OTP
3DES
Triple DES. A symmetric key block cipher. DES is pronounced as letters or “dezz.”
3D printing (n.)
3G , 4G (adj. or n.)
Third- and fourth-generation communications technology. Cell phone network options. Do not spell out. Related: CDMA
3Scale
An API management platform.
4chan
A website for trolls and memes that birthed Anonymous and rickrolling. Related: dox , message board , NSFW , troll
7- Zip
An open source file archiver.
8 filename (n.)
Related: short-name
8- bit (adj.)
1080i , 1080p
Abbreviations for HD video modes that describe the frame resolution and scan type (interlaced or progressive scan, respectively). Pronounced “ten-eighty.” Do not spell out. Related: HDTV , numbers
2600
A hacker magazine founded in 1984. Also a series of local clubs. 2600/
A
a vs. an
Use “an” when the next word begins with a vowel sound when spoken, regardless of spelling. A hybrid test. A unified problem. A Xerox machine. An HTTP issue. An S SH tunnel. An underlying cause. An XSS attack.
a11y (n.)
Accessibility, often in relation to technology. 11 represents the 11 letters removed from the middle of the word “accessibility.” Related: i18n , k8s , L10n
abort (v.)
Avoid using this verb unless it’s in quoted code. Try force quit or interrupt instead.
abuse (n.)
This noun is acceptable in common industry phrases like “application abuse.” Avoid using it on its own if possible. Try “malicious use” instead.
abuse (v.)
This verb is OK in set phrases but do not use it on its own. Try alter, automate, compromise, deface, exhaust, exploit, fo rce, impersonate, intentionally misuse, manipulate, reuse indefinitely, take advantage of, or a context-specific verb.
-accessible (adj.)
Always hyphenate.
access point (AP) (n.)
Spell out on first use.
ACE
Arbitrary code execution. Spell out on first use.
ACL , ACLs
Access control list. Spell out on first use.
AD (n.)
Active directory. Spell out on first use.
adb or adb
Android Debug Bridge. adb is both a technology and a command. When writing about the command, use the tech font.
ad blocking (n.), ad-blocking (adj.)
add on (v.), add-on (n.)
address bar (n.)
ad hoc (adj.)
This describes immature security infrastructure. In networks (especially wireless ones), ad hoc means decentralized.
and/or
Use sparingly in formal writing.
Android
Google’s mobile operating system.
android (n.)
angle brackets (n.)
The [ < ] and [ > ] characters. Related: characters
AngularJS
A JavaScript framework.
Animoji
Animated emoji created by Apple.
anonymization (n.)
Anonymous
An international group of 4chan hacktivists with a Guy Fawkes mask symbol.
Ansible
A stateful configuration management suite for Linux systems.
ansible (n.)
A fictional instantaneous hyperspace communication device named by Ursula K. Le Guin.
anti-malware (adj. or n.)
antivirus (AV) (adj. or n.)
AP (n.)
Access point. Spell out on first use.
Apache Server
Aperture Science
A fictional research company from the Portal series of video games.
API , APIs
Application programming interface. How software interacts with other software. Do not spell out.
app vs. application
Smart devices like phones and tablets have apps, computers have applications. App can also be a shortened form of application. To the security industry, they are all computer programs.
Apple
Related: FaceTime , FairPlay , iOS , iPhone , Lightning cables , Mac OS X , macOS , PowerBook , Siri , WWDC
applet (n.)
Apple TV
application security (n.)
Alternate term for information security.
APT (n.)
Application penetration testing. Also stands for advanced persistent threat or advanced packaging tool. Spell out on first use in public-facing documents. Related: criticality , EPT , IPT , pen testing
AR (n. or adj.)
Augmented reality. Related: IoT , VR , Vuforia
arbitrary (adj.)
Of the attacker’s choosing, as in “the user would be redirected to an arbitrary URL.”
Archer
An animated spy TV show that inspired the name of the Bishop Fox Danger Drone. It’s also the name of an RSA security product.
Arduino (n.)
Pronounced “ar-dweeno.”
ARM
This refers to either the Architecture Reference Manual or to RISC architecture used in microprocessors. Define briefly on first use to clarify your intended meaning.
ARPANET
Advanced Research Projects Agency Network; the original internet. Do not spell out.
artificial intelligence (AI) (n.)
ASCII
Pronounced “ask-ee.”
ASLR
Address space layout randomization. Spell out on first use.
ASN.
Abstract Syntax Notation One. Related: BER , X.
ASP
asset (n.)
Assets are systems, software, applications, libraries, personnel, equipment, or anything else that clients value and want to protect.
ASV
Approved scanning vendors. Spell out on first use. Related: PCI
ATM
Short for automated teller machine or “at the moment.” “ATM machine” is redundant. Related: PIN , SSN
at-rest (adj.), at rest
At -rest encryption. Data at rest.
attack chain (n.)
Related: elevation of privileges
attacker-controlled (adj.)
attacker-owned (adj.)
attack surface (n.)
attributes (n.)
A specification of a value. If it’s a type of attribute, use the normal font. If it’s a specific attribute, use the tech font, as in “a username attribute."
audio conferencing (n. or adj.)
Related: videoconferencing
audit trails (n.)
AUP
Acceptable Use Policy. Spell out on first use.
-based (adj.)
Always hyphenate. Ex: host-based, logic-based, role-based
baseline (n.)
Bash
BASIC
A programming language.
bastion host (n.)
A host often used as a gateway to pivot into other hosts. It should be specially hardened.
BBS
Bulletin board system.
BCC , BCC’d , BCCing
Blind carbon copy. Do not spell out. Related: CC , email
BCP
Business continuity plan. Spell out on first use.
bcrypt
Pronounced “bee-crypt.” A password hashing function.
BEC
Business email compromise. Spell out on first use. Related: phishing
BeEF , BeEF hooking
Browser Exploitation Framework.
BER
Bit error rate. It can also stand for “Basic Encoding Rules,” so spell out on first use.
best practices (n.)
Practices that align with compliance guidelines or industry standards. Corporate jargon; use sparingly. Related: CIS 20 , compliance framework
beta (n. or adj.)
BF
An informal name for Bishop Fox. Used very sparingly in places where space is limited.
BGP
Border Gateway Protocol. Spell out on first use.
Big Brother
The symbol of totalitarian surveillance from the novel Nineteen Eighty-Four. Big Brother is watching you.
big data (n.)
big-endian (adj.)
BIG-IP
A load balancer. Pronounced “big-eye-pee.”
billion laughs attack (n.)
Related: DoS
binary (n. or adj.)
Base-2 number system. 0 or 1. Can also refer to binary executable files. Related: big-endian , little-endian
BIND
A DNS server.
birds of a feather (BoF) (n.)
An informal discussion group.
birth date (n.)
Related: DOB , PII
Bishop Fox
Our company. Related: BF , Danger Drone , DeepHack , -Diggity , foxes , Lucius Fox , Martin Bishop , Rickmote Controller , SmashBot , SpellCheck , SpoofCheck , Tastic RFID Thief
bit (n.), - bit (adj.)
As in “a key length of at least 2048 bits” or “a 2048-bit RSA key.” When abbreviated, use lowercase b for bits, uppercase B for bytes.
Bitbucket
An Atlassian product for Git and Mercurial.
bitcoin or Bitcoin (n.)
Digital cryptocurrency. Related: coins vs. tokens , cold wallet , crypto mining , hot wallet
bit-flipped (adj.), bit-flipping (adj.)
BitLocker
Microsoft Windows disk encryption software.
bitmap (n.)
bitrate (n.)
bitsquatting (n.)
bitstream (n.)
BitTorrent
BlackBerry
black box (n.), black-box testing (n.)
Related: gray-box testing , white-box testing
Black Hat
A series of annual security conferences that happen in the USA, Europe, and Asia. blackhat/
black hat (n.)
An attacker or malicious user. Informal. Related: gray hat , white hat
blacklist , blacklisting (v. or n.)
Related: blocklist , whitelist
black market (n.)
We prefer to use this term in formal reports to describe unindexed illegal online activity hubs. Tor and I2P are colloquially known as “dark web” browsers. Related: bank drops , cash-out guide , dark net , fullz , I2P , Silk Road , Tor
bleeding edge (n. or adj.)
blind (adj.)
During a blind attack, the attacker is unable to view the outcome of an action.
bloatware (n.)
BLOB or blob (n.)
Binary large object.
brick-and-mortar (adj.)
Describes IRL places of business.
browsable (adj.)
browser fingerprinting (n.)
browser hijacking (n.)
brute-force ( v. or n.), brute-forcing (n .)
BSD
Berkeley Software Distribution. A Unix-derived operating system.
BSides
A global series of security events. securitybsides/
buckets (n.)
When discussing a type of bucket, use the normal font. When discussing a specific bucket by name, use the tech font for the name, as in “an oz-provision bucket."
buffer overflow (BOF) (n.)
bug bounty (n.)
Related: Bugcrowd , HackerOne
Bugcrowd
A crowdsourced bug bounty security company.
built-in (adj.)
bulleted (adj.)
bullet point (n.)
bullet time (n.)
Burp Suite , Burp Collaborator
A web application proxy.
business impact analysis (BIA) (n.)
Spell out on first use.
BuzzFeed
BYOD
Bring your own device. It describes companies that allow employees to use their own computers and phones for work. BYOD is pronounced as letters or spoken as the whole phrase.
bypass (v. or n.)
byproduct (n.)
bytecode (n.)
bytes (n.)
Kilobytes, megabytes, gigabytes, terabytes, petabytes. KB, MB, GB, TB, PB. No space between number and unit, as in 64TB. Use uppercase B for bytes, lowercase b for bits. Related: MiB , units of measurement
C
C♯
A programming language. Pronounced as “C sharp.” Related: # , hashtag
C- 3PO
A fictional protocol droid from Star Wars.
CA
Certificate or certification authority. Spell out on first use. Related: CEH , CISSP
cache (n. or v.)
cache busting (n.)
cache poisoning (n.)
CactusCon
An annual security conference in Arizona. cactuscon/
callback (adj. or n.)
As in “a crafted callback parameter.”
callback hell (n.)
A programming mistake that ends in an infinite callback loop.
CAM
Computer-aided manufacturing. Spell out on first use. Related: LMS
canary account (n.)
Related: honeypot
canonicalization (n.), canonicalize (v.)
CAPTCHA , CAPTCHAs
The Completely Automated Public Turing test to tell Computers and Humans Apart. A challenge-response test. Related: computer vision , reCAPTCHA
carriage return character or \r
An invisible character that makes the text go back to the beginning of the line. It’s a skeuomorph that refers to the way typewriters need to “return” a carriage to its original position.
case-by-case (adj.)
case-sensitive (adj.) , case sensitivity (n.)
cash-out guide (n.)
Related: black market
catch (v.)
Related: throw
The Cathedral and the Bazaar (CatB)
CBC
Cipher block chaining. Do not spell out; briefly define on first use.
CC , CC’d , CCing
Carbon copy. Do not spell out. Related: BCC , email
CCC or C
Chaos Communication Congress. An annual security conference in Germany.
CCTV
Closed circuit television. Do not spell out.
CD , CD-R , CD-ROM , CD-RW (n.)
CDMA
Code division multiple access. Spell out or briefly define on first use.
chmod
Short for change mode. Pronounced as “change mod,” “C-H-mod,” or “chuh-mod.” Related: chattr , chroot
Chrome
A Google web browser.
Chromecast (n. or v.)
chroot
Short for change root. A Unix operation that simulates a directory on a filesystem as if it were the root of the filesystem. Pronounced as “C-H-root” o r “chuh-root.” Related: chattr , chmod
chroot directory or ChrootDirectory
An SSH directory.
chroot jail (n.)
A way to isolate a process from the rest of the system.
CIA
Short for the Central Intelligence Agency or the triad of information security concerns: confidentiality, integrity, and availability.
CIO
Chief information officer. Related: CFO , CISO , CRO , CTO
cipher (n.)
Don’t use “cypher.” Write the names of ciphers in the normal font, as in Blowfish. Related: RSA , SHA-
cipher suite (n.)
ciphertext (n.)
CIS 20
The Center for Internet Security has a list of 20 guidelines for securing organizations. cisecurity/controls/
Cisco
CIS CSC
CIS Critical Security Controls. Related: CIS 20
CISO
Chief information security officer. Pronounced “seeso.”
CISSP
A security certification. Certified Information Systems Security Professional.
class , classes (n.)
When discussing a specific class by name, use the tech font, as in “a Time class."
cleartext vs. plaintext
In common usage, these terms are used interchangeably. In our reports, cleartext means unencrypted content. Plaintext is a more technical term that describes the input to a cryptographic system (which itself may already be encrypted or hashed). Related: CPA , plaintext
clear web or Clear Web (n.)
This is used in contrast to the “dark web” or “dark net” parts of the internet. It refers vaguely to publicly accessible sites that have been indexed by search engines. Informal.
CLI
Short for command-line interface or command language interpreter. Spell out on first use.
clickbait (n.)
clickjacking (n.)
In formal writing, we refer to this finding as “user interface (UI) redress.” It’s also called “cross-frame scripting.”
click through (v.), clickthrough (adj. or n.)
client-side (adj.)
clip art (n.)
Clippy
The discontinued anthropomorphic paper clip assistant in Microsoft Office.
closed caption (n.), closed-caption (adj.)
the cloud (n.)
Corporate jargon; “the cloud” is just servers.
cloud computing (n.)
CloudFront
An AWS content delivery network (CDN).
CloudTrail
An AWS logging and monitoring service.
cluster (n.)
As in “provision a cluster on each account.”
CMDB
Content management database. Spell out on first use.
CMS
Content management system. Spell out on first use.
co-creator (n.)
code (n. or v.)
codebase (n.)
Related: user base
codec
Short for code/decode. A device or program that can compress and decompress data. Do not spell out.
Codecademy
code path (n.)
code shrinking (n.)
coins vs. tokens
These are units of worth in virtual currencies. These terms are sometimes used interchangeably and sometimes used very differently. Define briefly on first use to clarify your intended meaning. Related: bitcoin , cryptocurrency
cold-call (v.), cold call (n.)
A social engineering strategy.
cold storage (n.)
cold wallet (n.)
Offline bitcoin storage. Related: hot wallet