Glossary

The terms that show up in advisories, vendor bulletins, CERT-IS notices, and across this site — defined for someone who runs systems, not someone studying for an exam. Cross-references in bold point to other entries.

Glossary
- A
- B
- C
- D
- E
- F
- G
- H
- I
- K
- L
- M
- N
- P
- R
- S
- T
- V
- Z

72-hour rule. Iceland's data-protection law (lög 90/2018, GDPR Article 33) requires notification of Persónuvernd of any personal-data breach "without undue delay and, if possible, no later than 72 hours after the data controller becomes aware". The clock starts at awareness, not at occurrence — those can be months apart. Late notifications must include written reasons. The most-referenced compliance tripwire in Icelandic incident response. See the defender handbook §4 and the Strætó case for what counts as "becoming aware".

A

AitM — Adversary-in-the-Middle. A phishing proxy that mirrors a real login page in real time (Evilginx, Tycoon, others), capturing both the password and the session token after the user satisfies MFA. Defeats SMS / TOTP / push MFA because the user genuinely authenticates — the captured token then lives in the attacker's cookie jar for as long as it does in yours (7–30 days for an M365 refresh token). Defeated by phishing-resistant MFA (FIDO2 / passkeys / Windows Hello). The dominant token-theft vector against M365 and Workspace in 2025–26. See defender handbook §7a.

APT — Advanced Persistent Threat. A well-resourced, usually state-aligned attacker that plays the long game: quiet, persistent, after access or information rather than a fast payout. The label gets overused; the real point of contrast is patience and tradecraft versus the smash-and-grab of commodity crime. Most often reaches a mid-size org through a supplier rather than head-on.

ASN — Autonomous System Number. The identifier for a network that routes its own block of IP addresses (a hosting company, an ISP, a big enterprise). Knowing which ASN an IP belongs to is most of the context: "noisy IP at a giant consumer ISP" and "noisy IP at a tiny niche host" mean very different things. This site's Iceland dashboard buckets threat indicators by ASN for that reason.

Attack surface. Everything an attacker could conceivably touch — every internet-facing service, login page, API, VPN gateway, exposed RDP, forgotten subdomain. "Reducing attack surface" = turning off, firewalling, or consolidating things you don't need exposed. See the site's attack-surface view.

Authentication bypass / broken access control. A flaw that lets someone skip the login, or act as a user/role they shouldn't. Includes IDOR. Consistently one of the most-exploited bug classes against internet-facing software. Browse them at /class/auth-bypass.

B

Backdoor. A hidden way back in — a rogue account, a planted web shell, a modified binary. After initial access, attackers install one so they keep their foothold even if you patch the original hole. (See persistence under ATT&CK in MITRE ATT&CK.)

BEC — Business Email Compromise. Fraud through a compromised mailbox. Attacker takes over a real M365 or Workspace mailbox (usually via AitM phishing), reads invoice and finance threads, then replies inside an ongoing thread asking the counterparty to wire to a new bank account. The volume driver behind Iceland's 47% YoY growth in phishing cases in 2025 (CERT-IS annual report). Defences are in the inbox configuration (Conditional Access, FIDO2 on admins, DMARC on every owned domain) not the user — see defender handbook §7a.

BOD 22-01. The US CISA Binding Operational Directive that created the KEV catalog and obliges US federal agencies to remediate KEV entries on a deadline. You're (probably) not bound by it — but it's why KEV exists, and KEV is the best "patch now" list anyone publishes.

Botnet. A fleet of compromised machines (servers, home routers, IoT cameras) under one operator's control — rented out for DDoS, spam, credential-stuffing, or proxying. Your edge router on a default password is somebody's botnet node.

Brute force / credential stuffing. Guessing passwords at scale (brute force) or replaying username/password pairs leaked from other breaches (credential stuffing, far more effective). The reason MFA and account lockout/rate-limiting exist. A large share of "attacks on Iceland" in any feed is exactly this against SSH, RDP, and webmail.

C

C2 — Command and Control (also C&C). The channel malware uses to phone home for instructions and to ship stolen data out. Detecting and blocking C2 traffic is a core SIEM/EDR job; this site publishes a C2-IP blocklist feed.

CERT-IS. Iceland's national Computer Emergency Response Team / CSIRT, at the Ministry for Foreign Affairs since February 2025 (previously under Fjarskiptastofa). Coordination, advisories, incident support, and Iceland's seat in the European CSIRT network. The org you call when something that matters is on fire. See the defender handbook §3.

CIS Controls. A prioritised, pragmatic checklist of security practices (asset inventory, secure configuration, MFA, logging, …) from the Center for Internet Security. A good "what should we actually do, in what order" reference for a small team.

CISA — Cybersecurity and Infrastructure Security Agency (US). Publishes the KEV catalog and a stream of advisories. Not your regulator, but a feed worth following — when CISA adds something to KEV, it's confirmed exploited.

Conditional Access. Microsoft Entra ID's policy engine for "allow / block / require X" on sign-in attempts, based on signals: user, group, app, device compliance, IP location, sign-in risk score. The lever that lets you require FIDO2 for admins, block legacy auth protocols, demand a compliant device for finance apps. Equivalent capabilities exist in Okta (Sign-On Policies + Workflows) and Google Workspace (Context-Aware Access). The setting that most often catches the AitM → token-theft attack chain. See defender handbook §7a.

CVD — Coordinated Vulnerability Disclosure (and bug bounty). The grown-up way a stranger who found a hole in your system tells you before they tell the world: a published contact (a security.txt file at /.well-known/security.txt, a disclosure policy, optionally a paid bug-bounty programme), an agreed window to fix, then disclosure. In Iceland, Defend Iceland (defendiceland.is) runs a national bug-bounty / CVD platform — spun out of the security firm Syndis, run as a standalone company, EU Digital Europe co-funded — that participating organisations plug into. The point for an admin: "we got a vulnerability report from a stranger" should be a process you designed in advance, not a fire drill.

CVE — Common Vulnerabilities and Exposures. The unique identifier for one specific vulnerability, e.g. CVE-2024-3400. It's a name, nothing more — severity comes from CVSS/EPSS/KEV. On this site, any CVE ID resolves at /tag/cve-2024-3400 to a grounded summary, related CVEs, and MITRE ATT&CK mappings.

CVSS — Common Vulnerability Scoring System. The 0–10 severity score: exploitability factors (attack vector, complexity, privileges/interaction) plus impact (confidentiality/integrity/availability). 9.0+ critical, 7.0+ high. Describes the bug in the abstract — it doesn't know if it's being exploited or whether you're exposed.

CWE — Common Weakness Enumeration. The class of mistake behind a CVE: CWE-78 OS command injection, CWE-502 unsafe deserialization, CWE-22 path traversal, CWE-787 out-of-bounds write. Useful because the class tells you what kind of fix or mitigation helps, and lets you spot a recurring pattern in a product. This site groups CVEs into ~18 classes — see any /class/ page.

D

Data breach. Unauthorised access to, disclosure of, or loss of data. When it involves personal data, it's a notifiable event under Iceland's data-protection law — see the 72-hour rule.

DDoS — Distributed Denial of Service. Overwhelming a service with traffic from many sources (often a botnet) so legitimate users can't reach it. Mitigation is mostly upstream — your ISP, a scrubbing provider, a CDN — so know who you'd call before it happens.

Deserialization vulnerability. When an app rebuilds an object from attacker-controlled serialized data without checking it, often leading straight to RCE. A perennial source of critical bugs in Java/.NET/PHP enterprise software. Browse them at /class/deserialization.

DMARC — Domain-based Message Authentication, Reporting and Conformance. A DNS-published policy telling receiving mail servers what to do (none / quarantine / reject) with mail claiming to be from your domain that fails SPF or DKIM. Set to quarantine or reject to prevent attackers spoofing your domain. Doesn't help against lookalike domains (origo-finance.com vs origo.is); does close the easy half of email impersonation. See defender handbook §7a.

DORA — Digital Operational Resilience Act. Iceland's lög 78/2025, passed 24 November 2025, implementing EU regulation 2022/2554. Already in force (early 2026). Covers banks, insurers, payment institutions, asset managers — and their ICT third-party providers. The reach is wider than the name suggests: if your customer is an Icelandic financial entity, DORA's third-party requirements pull through your contract (incident-reporting timelines tighter than NIS-2, mandatory clauses, exit plans, threat-led pen-test cooperation). Supervisor: Seðlabanki Íslands. See defender handbook §4.

DPA — Data Protection Authority. In Iceland, Persónuvernd: enforces data-protection law, investigates breaches, issues rulings and fines. Its published decisions double as a free supply of real local case studies (see Strætó in the defender handbook §5).

E

EDR — Endpoint Detection and Response. Software on endpoints/servers that watches behaviour, flags suspicious activity, and lets you investigate and contain. The modern descendant of antivirus. Attackers' first move after gaining admin is often to try to disable it — so "is our EDR tamper-resistant?" is a real question.

EPSS — Exploit Prediction Scoring System. A 0–100% probability that a CVE will be exploited in the wild in the next 30 days, from observed activity. Pair it with CVSS: CVSS says how bad if used, EPSS says how likely to be used. A high-CVSS / low-EPSS bug and a mid-CVSS / high-EPSS bug deserve very different urgency.

Exploit. Working code or a technique that actually uses a vulnerability to do something — versus a PoC, which just proves it's real. "Exploited in the wild" (the KEV bar) means attackers are doing this now, to real targets.

F

FIDO2 / WebAuthn / passkeys. Phishing-resistant MFA. The browser proves identity to the exact real domain using a cryptographic key bound to that origin — so an AitM proxy on a lookalike domain (m1crosoft.com) gets nothing useful. Implementations: hardware keys (YubiKey, Titan, Feitian), platform authenticators (Windows Hello for Business, Apple Touch ID / Face ID, Android passkeys), and synced passkeys. The tier above SMS / TOTP / push for any account that matters. Mandate it for admins and privileged users; allow it as an option for everyone else. See defender handbook §7.

Fjarskiptastofa. The Electronic Communications Office of Iceland (the former Póst- og fjarskiptastofnun, PFS) — the telecoms/electronic-communications regulator, and the historical home of CERT-IS until February 2025 (CERT-IS now sits at the Ministry for Foreign Affairs; Fjarskiptastofa keeps the regulatory role). Increasingly central as NIS2 lands.

G

GDPR — General Data Protection Regulation. EU regulation 2016/679 on personal-data protection, implemented in Icelandic law as lög 90/2018. Defines rights of data subjects (access, erasure, rectification, portability), obligations of controllers and processors, the 72-hour rule on breach notification, and a fine ceiling of up to 4% of global annual revenue. Persónuvernd enforces it in Iceland. The reason "we hadn't tested for it" isn't a defence after a breach (see the Strætó case) and the reason the 72-hour clock starts at awareness, not at occurrence.

H

Hardening. Systematically shrinking what can go wrong on a system: remove unused services and accounts, change defaults, restrict privileges, apply a secure-configuration baseline (CIS benchmarks, vendor guides), turn on logging. The unglamorous work that prevents the glamorous incident.

I

IDOR — Insecure Direct Object Reference. A flavour of broken access control: the app uses an identifier you supply (a record number, a filename, an account ID) without checking you're allowed that one — so you iterate the number and read other people's data. Boring, ubiquitous, easy to test for, easy to forget to test for — especially right after a "small" API change.

IoC — Indicator of Compromise. A concrete artefact that suggests a system is or was compromised: a malicious IP or domain, a file hash, a registry key, a URL. Threat feeds are streams of IoCs; this site publishes several blocklist feeds of them, including an Iceland-focused one. (Contrast TTP — IoCs are cheap for attackers to change, TTPs aren't.)

Initial access. The first foothold in a target — the MITRE ATT&CK tactic TA0001. In practice it's overwhelmingly an exploited internet-facing device (T1190), a phishing victim (T1566), or valid stolen credentials (T1078). Patch the edge, train the people, kill reused passwords — in that order of leverage.

ISNIC — Internet á Íslandi hf. Runs the .is country-code TLD and operates RIX (as a separate function within the same organisation). The practical gatekeeper for .is domain abuse/takedown and the operator of Iceland's main peering point. See the site's ISNIC policy-gap analysis.

ISO 27001. An information-security management system (ISMS) standard. A vendor with ISO 27001 certification has documented their security processes and passed an external audit — it does not mean the specific service you're buying is in scope. Always ask for the actual certificate, check what's in scope, and check the date. "ISO 27001 certified" on a marketing page often refers to the parent company's office, not the product. See vendor questionnaire §3 — the Strætó case is the cautionary tale (Advania held ISO 27001 yet kept operations-grade, not security-grade, logs).

K

KEV — Known Exploited Vulnerabilities catalog (CISA). The list of CVEs confirmed exploited in the wild — observed, not predicted. The single best "drop what you're doing" list there is. Flagged 🚨 across this site; drives the patch-lag view. Created by BOD 22-01.

L

Lateral movement. Moving from the first compromised box to the ones that matter — domain controller, backup server, hypervisor, finance system (ATT&CK TA0008). Flat networks make it trivial; segmentation between your office LAN and your server VLAN is one of the cheapest ways to make an attacker's life hard.

LPE — Local Privilege Escalation. A bug that takes an attacker who already has some access on a machine up to admin/SYSTEM/root. The reason "low severity, it's only local" is a trap: an LPE is usually the second link in a chain that started with a remote bug or a phished user. Browse them at /class/lpe.

M

Malware. Catch-all for hostile software — ransomware, infostealers, RATs, droppers, wipers, cryptominers, web shells. Modern intrusions often chain several: a loader pulls a stealer, the stealer's loot funds a ransomware deployment.

MFA / 2FA — Multi-Factor / Two-Factor Authentication. Requiring a second proof beyond a password — an app code, a hardware key, a push. The single highest-return control against credential theft and credential stuffing. Phishing-resistant forms (FIDO2/passkeys) beat SMS and TOTP, which beat nothing. In Iceland, rafræn skilríki / Auðkenni is the widely-used national strong-auth scheme.

MITRE ATT&CK. A catalogue of attacker behaviour: tactics (the goals — Initial Access, Persistence, Privilege Escalation, Lateral Movement, Exfiltration, Impact, …) and techniques (the specific moves, each with an ID like T1190 "Exploit Public-Facing Application" or T1486 "Data Encrypted for Impact"). The shared language for describing intrusions and for asking "would we even detect this?" Browse a technique on this site at /technique/T1190.

N

NIS2. The EU directive on a high common level of cybersecurity, currently being transposed into Icelandic law. Widens the set of "essential" and "important" entities with formal duties: risk-management measures, incident reporting on a clock (early warning ~24h, fuller report ~72h), supply-chain security, and management accountability. If you run anything in energy, transport, water, health, digital infrastructure, ICT services, public administration, or a sizeable platform/manufacturer — assume it reaches you. See the defender handbook §4.

NVD — National Vulnerability Database (US NIST). Enriches CVE records with CVSS scores, CWE classes, and affected-product data. The backbone data source behind most vulnerability tooling — including this site's CVE summaries.

P

Patch lag. The gap between "a fix exists" (or worse, "this is on KEV") and "the exposed systems are actually patched." Attackers live in that gap. This site's Patch Lag Index measures it for Iceland-exposed software.

Patch Tuesday. Microsoft's monthly security-update release, the second Tuesday of each month — followed reliably by "Exploit Wednesday" as attackers reverse the patches. Other big vendors have their own cadences; KEV doesn't wait for any of them.

Phishing / spear-phishing. Tricking someone into clicking, entering credentials, or running something — by email, SMS (smishing), or voice (vishing). Spear-phishing is the targeted, researched version aimed at a specific person. Still a top initial access route; technical controls (MFA, attachment sandboxing, link rewriting) matter more than "user training" alone.

PoC — Proof of Concept. Code or steps that demonstrate a vulnerability is real, short of a weaponised exploit. A public PoC is a loud signal that mass exploitation is coming — the window between "PoC on GitHub" and "in the wild" is often days.

Privilege escalation. Going from limited access to powerful access — locally (LPE) or by abusing misconfigured roles/permissions in a domain or cloud (ATT&CK TA0004). The hinge step between "foothold" and "game over."

R

RaaS — Ransomware-as-a-Service. The platform model behind most modern ransomware: a core group builds the malware and the leak site and recruits affiliates who do the break-ins for a cut. It's volume business — which is why "we're too small to be a target" is wrong (the Bændasamtök case and CERT-IS's numbers make the point).

Ransomware. Malware that extorts you — classically by encrypting your data, now almost always with double extortion: steal the data first, then encrypt, then threaten to publish if you don't pay. Defence is layered: phishing-resistant MFA, fast edge patching, segmentation, EDR, and — the one that actually gets you back — tested, offline-or-immutable backups. This site tracks public victim listings in /ransomware.

RAT — Remote Access Trojan. Malware giving an attacker hands-on remote control of a machine — files, screen, keystrokes, webcam, a pivot deeper in. Often the payload delivered by a phishing loader.

RCE — Remote Code Execution. Run attacker-chosen code on a target over the network, usually without valid credentials. The bug class behind almost every "patch this weekend" advisory in internet-facing software. Browse them at /class/rce.

RIX — Reykjavík Internet Exchange. The neutral point where Icelandic networks peer with each other, operated by ISNIC. "Does it peer at RIX?" is, in practice, most of "is this Icelandic infrastructure?" — which is how this site geo-scopes its Iceland threat view. See the defender handbook §2.

S

SAML / SSO — Single Sign-On. SSO lets a user log into one identity provider (Entra ID, Okta, Google Workspace) and then access many applications without re-authenticating. SAML is one of two protocols carrying that login (the other is OIDC). The vendor practice of locking SSO behind enterprise-only pricing — the "SSO tax" — pushes small Icelandic orgs into per-app local accounts, defeating the central control SSO was supposed to give. See vendor questionnaire §1.

SBOM — Software Bill of Materials. A machine-readable inventory of the components and dependencies inside a piece of software. The thing that lets you answer "are we affected?" in minutes instead of days when the next Log4Shell-style dependency bug lands. Increasingly expected of vendors (and required for some — see the Cyber Resilience Act).

SIEM — Security Information and Event Management. A system that collects logs and events from across the estate, correlates them, and raises alerts — the "central nervous system" for detection and investigation. Often paired with SOAR for automated response. Feeds like this site's blocklists plug into it.

SIM-swap. Social-engineering a mobile carrier into porting a victim's phone number to an attacker-controlled SIM. The result: the attacker now receives the SMS codes, the Auðkenni prompts, the calls. Mitigated by port-out PINs (Nova, Síminn, and Sýn all offer them), strong identity-verification at the carrier support desk, and FIDO2 instead of SMS for accounts that matter. See defender handbook §7b.

SOAR — Security Orchestration, Automation and Response. Tooling that automates routine response — enrich an alert, block an IP, isolate a host, open a ticket — so analysts spend time on judgement, not clicks. Usually bolted onto a SIEM.

SOC 2 — Service Organization Control 2. A reporting framework from the AICPA covering security, availability, confidentiality, processing integrity, and privacy. Type I = "controls are designed appropriately at this point in time"; Type II = "controls operated effectively over a period (typically 6–12 months)". Type II is what you want from a serious vendor. A four-year-old SOC 2 is a red flag — the audit period has long since closed. See vendor questionnaire §3.

Social engineering. Manipulating people rather than machines — phishing, pretexting ("IT here, I need your code"), baiting, tailgating. The reliably weakest link, and the reason controls that don't depend on the human getting it right (MFA, least privilege, hard segmentation) matter so much.

SSRF — Server-Side Request Forgery. Tricking a server into making requests on the attacker's behalf — often to internal-only systems or cloud metadata endpoints (the classic route to stolen cloud credentials). Browse them at /class/ssrf.

Supply-chain attack. Compromising you by way of something you trust — a software update (SolarWinds, 3CX), an open-source dependency (xz, event-stream), a managed service provider, or an acquired company whose security came with it. Hard to defend against directly; vendor due diligence, SBOMs, least-privilege integrations, and monitoring are the levers. A recurring theme in Iceland's concentrated hosting market — see /supply-chain.

T

Threat actor. Whoever's doing it — from a script-running opportunist to a RaaS affiliate to an APT. The category matters because it changes your priorities (volume hygiene vs. supplier scrutiny vs. detection depth). Threat-intel reports name and track them with labels like APT29, Lazarus, Scattered Spider, LockBit.

Threat intelligence. Processed information about adversaries — their infrastructure (IoCs), their methods (TTPs), their targeting — meant to inform a decision. Ranges from raw feeds to finished analysis. The trap is collecting feeds you never operationalise; the value is acting on it (blocking, hunting, prioritising patches). This site's Iceland dashboard and feeds are threat intelligence aimed at Icelandic defenders specifically.

Tor exit node. The last relay in the Tor network — the IP a destination actually sees. Exit nodes appear to "attack" everything because everyone's traffic exits through them, so threat feeds full of exit IPs are mostly noise; this site suppresses them in its Iceland risk tiers. Legitimate uses are real; treat exit traffic as context-dependent, not automatically hostile.

TTP — Tactics, Techniques, and Procedures. How an adversary operates — the durable behavioural fingerprint, as opposed to easily-swapped IoCs. Detecting on TTPs ("this looks like credential dumping followed by lateral movement") catches an actor even after they rotate their infrastructure. MITRE ATT&CK is the standard vocabulary for them.

V

Vulnerability. A weakness — in code, configuration, or process — that an attacker can use to do something they shouldn't. Gets a name (CVE), a class (CWE), a severity (CVSS), an exploitation likelihood (EPSS), and, if you're unlucky, a KEV listing.

Vulnerability management. The ongoing loop: inventory what you run → find what's vulnerable → prioritise (KEV first, then EPSS×CVSS×exposure, not "highest CVSS wins") → remediate or mitigate → verify → repeat. The boring discipline that closes the patch lag before someone else exploits it.

Z

Zero-day (0-day). A vulnerability being exploited before a patch exists (sometimes before the vendor even knows). You can't "patch" a true zero-day on day zero — you contain (disable the feature, restrict access, watch for the IoCs/TTPs) until the fix ships, then patch fast. Many KEV entries started as zero-days.

Zero trust. A design principle: don't grant trust because something is "inside the network" — authenticate and authorise every request, every time, on identity + device posture + context, and segment so a foothold doesn't become free run of the place. Not a product you buy; an architecture you move toward (and the antidote to the "flat network, soft centre" that makes lateral movement easy).

Drafted with AI assistance, reviewed by a working Icelandic sysadmin. Spot something wrong or missing a term you keep having to explain? admin@1881.is.