Glossary of Terms
This glossary provides definitions for key terms used throughout the Operational Security framework. It includes both general security terminology and Web3-specific concepts to help ensure a common understanding of security concepts.
General Security Terms
A
Access Control: Systems and policies that restrict access to resources based on user identity and authorization level.
Authentication: The process of verifying the identity of a user, system, or entity.
Authorization: The process of determining what actions an authenticated entity is permitted to perform.
Availability: The property of being accessible and usable upon demand by an authorized entity.
B
Backup: A copy of data created and stored separately from the original, to enable recovery in case of data loss.
Breach: An incident that results in the unauthorized access, disclosure, or acquisition of protected data.
C
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Configuration Management: The process of establishing and maintaining consistency of a system's performance and functional attributes with its requirements and design.
Containment: Actions taken to limit the scope and impact of a security incident.
Countermeasure: An action, device, procedure, or technique that mitigates a security threat or vulnerability.
D
Defense in Depth: A security strategy that employs multiple layers of controls to protect resources.
Disaster Recovery: A set of policies, tools, and procedures to enable the recovery of vital technology infrastructure and systems following a disaster.
E
Encryption: The process of converting information into a code to prevent unauthorized access.
Endpoint Security: The practice of securing entry points of end-user devices such as desktops, laptops, and mobile devices from being exploited by malicious actors.
I
Incident Response: The process of addressing and managing the aftermath of a security breach or attack.
Integrity: The property that data has not been altered in an unauthorized manner since it was created, transmitted, or stored.
Intrusion Detection System (IDS): A system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered.
L
Least Privilege: The principle of providing users with the minimum levels of access necessary to perform their job functions.
Logging: The recording of events, activities, and changes within a system or network.
M
Malware: Software designed to disrupt, damage, or gain unauthorized access to a computer system.
Multi-Factor Authentication (MFA): An authentication method that requires a user to provide two or more verification factors to gain access.
P
Penetration Testing: An authorized simulated attack on a computer system to evaluate its security.
Phishing: A technique for attempting to acquire sensitive data, such as passwords or credit card details, by masquerading as a trustworthy entity.
Principle of Least Privilege: The concept of granting users only the minimum access rights necessary to perform their job functions.
R
Risk Assessment: The process of identifying, analyzing, and evaluating risk.
Risk Management: The coordinated activities to direct and control an organization with regard to risk.
S
Security Controls: Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks.
Security Incident: An event that potentially compromises the confidentiality, integrity, or availability of information or systems.
Separation of Duties: A principle that divides critical functions among different staff members to prevent fraud and errors.
T
Threat: A potential cause of an unwanted incident, which may result in harm to a system or organization.
Two-Factor Authentication (2FA): A method of confirming a user's claimed identity by utilizing a combination of two different factors.
V
Vulnerability: A weakness that can be exploited by a threat actor to perform unauthorized actions.
Vulnerability Assessment: The process of identifying, quantifying, and prioritizing vulnerabilities in systems, applications, and network infrastructure.
Web3-Specific Terms
A
Air-Gapped: A security measure where a computer or network is physically isolated from unsecured networks, such as the public internet or an insecure local area network.
B
Blockchain: A distributed ledger technology that maintains a continuously growing list of records, called blocks, which are linked and secured using cryptography.
C
Cold Storage: The practice of keeping a reserve of cryptocurrency offline, typically in hardware wallets or paper wallets.
Consensus Mechanism: The process in a blockchain network that achieves agreement among distributed processes or systems on a single data value.
Custodial Wallet: A cryptocurrency wallet where the private keys are held by a third-party service.
D
Decentralized Application (DApp): An application that runs on a decentralized network, avoiding a single point of control or failure.
Decentralized Autonomous Organization (DAO): An organization represented by rules encoded as a computer program that is transparent, controlled by the organization members, and not influenced by a central government.
E
Externally Owned Account (EOA): An Ethereum account controlled by a private key, typically belonging to a person.
G
Gas: A unit that measures the amount of computational effort required to execute operations on the Ethereum network.
H
Hardware Wallet: A special type of cryptocurrency wallet that stores the user's private keys in a secure hardware device.
Hot Wallet: A cryptocurrency wallet that is connected to the internet, allowing for quick transactions but with increased security risks.
M
Mempool: A collection of all transaction data that have been verified by nodes but have not yet been recorded onto the blockchain.
Multisignature (Multisig): A digital signature scheme that allows a group of users to sign a single document, with multiple parties required to authorize a transaction.
N
Node: A computer that connects to a blockchain network and maintains a copy of the blockchain.
Non-Custodial Wallet: A cryptocurrency wallet where users have full control over their private keys and cryptocurrency.
P
Private Key: A secret number that allows cryptocurrency to be spent. It is paired with a public key in asymmetric cryptography.
Public Key: A cryptographic key that can be obtained and used by anyone to encrypt messages intended for a particular recipient, such that the encrypted messages can only be decrypted by the recipient's paired private key.
S
Smart Contract: Self-executing contracts with the terms of the agreement directly written into code, which automatically enforce and execute the terms when predetermined conditions are met.
Seed Phrase: A series of words generated by cryptocurrency wallets that give users access to the cryptocurrency associated with that wallet.
T
Token: A digital asset that is created, issued, and managed on an existing blockchain.
Transaction: The record of a change in ownership of a cryptocurrency or the execution of a smart contract.
W
Wallet: Software that stores private and public keys and interacts with various blockchain to enable users to send and receive digital currency and monitor their balance.
Web3: The concept of a new iteration of the web which incorporates concepts such as decentralization, blockchain technologies, and token-based economics.
This glossary provides a common language for discussing operational security concepts. Understanding these terms is essential for effective communication about security risks, controls, and practices in both traditional and Web3 environments.