Ethical Hacking, Penetration Testing and IT-Forensics -Alphabet soup, Abbreviations and Definitions

Vocabulary terms and definitions covering Security Operations Centers (SOC), incident classification levels, the Incident Response Team (CSIRT) structure, and incident response planning.

ISOC (or SOC)

Information Security Operations Center; a physical place and group of people manning equipment $24/7$ to monitor networks and services for abnormal activity.

NOC

Network Operations Center; a center that often cooperates and shares sites, people, and equipment with a SOC.

Security event

Anything security-related that does not affect any operations, such as a blocked SQL injection or a network scan for open ports.

Security incident

An adverse event that threatens, affects, or disrupts operations and may trigger an incident response.

IRT / CSIRT

Incident Response Team / Computer Security Incident Response Team; the group responsible for declaring and handling security incidents.

High level severity

An incident level expected to cause very significant damage or information loss, such as $60\,TB$ of data being encrypted by ransomware.

Moderate level severity

An incident level that may cause damage, corruption, or loss of systems or information, such as the theft of an encrypted laptop.

Low level severity

An incident level that causes inconvenience or irritation with little to no consequences, such as a firewall restart causing a $5\,minute$ traffic outage.

GDPR / NIS2

Regulatory frameworks that may mandate external reporting of security incidents.

Supply chain attack

A security incident where malware originates from an external computer used to support a third-party software.

Security disaster

An event resulting in large-scale destruction of property, loss of life, or massive changes to the physical environment which disrupts services.

CERT

Computer Emergency Response Team; a national or regional scale CSIRT, such as CERT-SE or Sunet CERT.

Incident Response Process

An iterative process consisting of Preparation, Detection, Analysis, Containment, Eradication, Recovery, and Post Incident steps.

Core CSIRT members

Fixed members typically including a team leader (CSO or CISO), analysts, SOC members, and security engineers.

Incident Response Plan Charter

A section of the response plan defining the mission statement and responsibilities of the team.

War room

A dedicated, prepared workspace for incident handling featuring team displays, note-sharing tools, and limited physical access.

Staff rotation

The practice of working in shifts and sending people home to manage fatigue during major incidents that last many days.

Internal communication plan

A component of the incident response plan designated to handle information flow within the organization to reduce pressure on the IRT.

Public communications rule

The principle for media contact: do not withhold information, do not lie, and do not speculate, while maintaining confidentiality for legal investigations.