Cybersecurity Style Guide

A programming language. Pronounced as the letter.

A fictional protocol droid in Star Wars. Pronounced as letters and numbers.

Certificate or certification authority. Spell out on first use.

An association of CAs that provides industry guidelines on certificates.

Attacks on caches include cache busting and cache poisoning.

An annual security conference in Arizona. http://www.cactuscon.com/

Computer-aided design. Pronounced as “cad.”

The Windows calculator program. Pen testers often use this in sample exploits to demonstrate code execution without harmful consequences.

A programming mistake that results in an infinite callback loop.

Computer-aided manufacturing. Spell out on first use. Pronounced as “cam.”

Controller area network. Usually referred to as a CAN bus.

The Completely Automated Public Turing test to tell Computers and Humans Apart. A challenge-response test. Do not spell out.

An invisible character that shifts the text position to the beginning of the line. This term is a skeuomorph that refers to the way a typewriter “returns” a carriage to its original position.

A book by Eric S. Raymond about models of free software design.

Cost-benefit analysis. Spell out on first use.

Cipher block chaining. Do not spell out; briefly define on first use.

Carbon copy. Do not spell out.

Chaos Communication Congress. An annual security conference in Germany.

The National Collegiate Cyber Defense Challenge. An annual competition between university-based security teams.

California Consumer Privacy Act.

Closed circuit television. Pronounced as letters. Do not spell out.

Compact disc. CD may also stand for continuous delivery or continuous deployment, as in CI/CD. Spell out on first use when using in this sense.

The Centers for Disease Control and Prevention.

Cult of the Dead Cow. A late 1990s hacking group that coined the term “hactivism.”

Collaborative development environment, cardholder data environment, or Chrome Dev Editor. Spell out on first use.

Code division multiple access. A channel access method used in radio communications, particularly in mobile phone standards. Spell out or briefly define on first use.

Content delivery network. Spell out on first use.

Clean desk policy. Spell out on first use.

Certified Ethical Hacker. Pronounced as letters or the whole phrase.

A Linux distribution. Pronounced as “sent-O-S” or “sent-oss.”

Computer Emergency Readiness Team or Cyber Emergency Response Team. Do not use as a generic term.

Cert is informal.

Spell out certification names on first use unless used as a suffix for a person’s name. Examples of abbreviations for certifications include CCNA, GPEN, OSCE, PCI ASV, Sec+.

The Computer Fraud and Abuse Act.

Chief financial officer.

Call for papers or call for proposals. Chiefly used for conference submissions.

Computer-generated. Spell out on first use in public-facing documents.

Short for computer-generated images or Common Gateway Interface. Spell out on first use to clarify your meaning.

A robot-filtering test like CAPTCHA.

When calling out specific characters (keystrokes) that affect the meaning of a code sequence, write them in the tech font with a space on either side, surrounded by square brackets in the normal font. If the character’s name is also its symbol, write it in the tech font. If the font difference is not visible, use quotation marks. Sometimes abbreviated informally to char and pronounced as “char.”

Character set. Pronounced “char-set.”

The practice of coordinating security teams through realtime chat applications.

Short for change attribute. Pronounced as “chatter.”

Cardholder data. Spell out on first use.

On many social media sites, a checkmark (often blue) next to a username indicates that the account’s owner has been verified, distinguishing it from fan or parody accounts.

This is a more accurate term for child pornography. If you discover child abuse material in the context of your work, report it to a manager immediately. If you find it online outside of work, contact the National Center for Missing and Exploited Children (NCMEC).

Short for change mode. Pronounced as “change mod,” “C-H-mod,” or “chuh-mod.”

A Google web browser.

Short for change root. A Unix operation that simulates a directory on a filesystem as if it were the root of the filesystem. Pronounced as “C-H-root” or “chuh-root.”

An SSH directory.

A directory used to isolate a process from the rest of the system.

Continuous integration. Spell out on first use.

Confidentiality, integrity, and availability, the triad of information security concerns. Also stands for Central Intelligence Agency. Spell out on first use to clarify your intended meaning.

Continuous integration and continuous delivery/deployment. Spell out on first use, but choose either delivery or deployment based on client preference.

Classless inter-domain routing. Pronounced as “cider” or “cedar.” Spell out or briefly define on first use in public-facing documents.

Chief information officer.

A cryptographic primitive. Write the names of ciphers in the normal font, as in Blowfish. Don’t write this as “cypher.” Cypher is a character from The Matrix and a query language.

The Center for Internet Security has a list of 20 guidelines for securing an organization. https://www.cisecurity.org/controls/

Cybersecurity and Infrastructure Security Agency.

CIS Critical Security Controls.

Chief information security officer. Pronounced as “see-so.”

Certified Information Systems Security Professional. A security certification.

When discussing a specific class by name, use the tech font, as in “the Time class.”

In common usage, these terms are used interchangeably. In our reports, cleartext means unencrypted content. Plaintext is a more technical term that describes the input to a cryptographic system (which itself may already be encrypted or hashed).

This is used in contrast to the “dark web” or “dark net” parts of the internet. It generally refers to publicly accessible sites that have been indexed by search engines. Informal.

Command-line interface or command language interpreter. Spell out on first use.

In formal writing, we often refer to this attack as user interface (UI) redress. It’s also called cross-frame scripting.

The discontinued anthropomorphic paper clip assistant in Microsoft Office.

Remote servers used to store information. Informal.

A security assessment framework for cloud-based third-party API integrations. Spell out on first use.

A Bishop Fox open source tool for testing cloud infrastructure.

An AWS content delivery network.

An AWS logging and monitoring service.

A group of servers working together.

Content management database. Spell out on first use.

A type of script in the Windows PowerShell command-line environment. Pronounced as “command-let.”

Content management system. Spell out on first use.

Do not pluralize when referring to programming languages.

Short for code/decode. A device or program that can compress and decompress data. Pronounced as “co-deck.” Do not spell out.

Unit of worth in virtual currencies. These terms are sometimes used interchangeably and sometimes used very differently. Define briefly on first use to clarify your intended meaning.

A social engineering strategy.

A virtual wallet for offline bitcoin storage.

A synonym for cold storage.

Over-the-counter hacking tools that anyone could obtain and use.

To join two or more items into one item by stringing them together. Concat is informal.

Indicates data is protected from unauthorized access.

Short for configuration or configure. Informal.

A pre-defined, immutable variable that is referenced in later code.

Always hyphenate.

A piece of data that a website stores in a browser, often to track website activity.

Children’s Online Privacy Protection Act.

Text that has been copied and pasted into a new location. On forums, it leads to inside jokes. In documents, it can refer to redundancy or typos caused by errant copy/paste actions. Informal.

Cross-origin resource sharing. Spell out on first use.

Microsoft AI.

A Bishop Fox attack surface management and continuous penetration testing solution. https://bishopfox.com/platform

Chosen-plaintext attack. Also stands for Certified Public Accountant. Spell out on first use.

A programming language. Pronounced as “C-plus-plus.”

Central processing unit. Do not spell out.

To decipher or decode, as in a password or combination lock. In old-school discussions, hacking vs. cracking was an important distinction between the exploratory intent of hackers accessing systems without authorization vs. the often criminal intent of crackers accessing and damaging those same systems.

Challenge-response authentication mechanism. Spell out on first use.

Write Creative Commons licenses in normal font.

The information necessary to pass a security check (e.g., a username and password set, a key pair, or an RFID badge). Cred is informal and can also refer to currency in sci-fi or dystopian settings.

Compression Ratio Info-leak Made Easy. A security exploit. Do not spell out.

Describes a non-negotiable business function or a vulnerability with catastrophic consequences that is easily exploitable.

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

Customer relations management.

Chief revenue officer.

A software utility.

There are three kinds of XSS: reflected, stored, and DOM-based. Pronounced as letters or the whole phrase.

A password-cracking tool.

Create, read, update, destroy. Sometimes the R is retrieve and the D is delete.

Historically, this was short for cryptography. Now, it can also mean cryptocurrency. In medicine, Crypto is short for Cryptosporidium, a waterborne parasite. Spell out on first use to clarify your intended meaning.

Virtual currency.

A global series of events that educate communities about security and technology. https://www.cryptoparty.in/

Computer science or container security. Spell out on first use.

A programming language. Pronounced as “C-sharp.”

Computer security incident response team. Spell out on first use.

Chief Security Officer.

Content Security Policy. Spell out on first use.

Cryptographically secure pseudo-random number generator. A secure way of generating random numbers. Pronounced as letters, “crypto R-N-G,” or “C-spring.” Spell out or briefly define on first use.

Cross-site request forgery. A common web vulnerability. Pronounced as letters or “C-surf.” Spell out on first use.

Cascading Style Sheets. Do not spell out.

An informal term for high-level executives like CEOs and CIOs. Also called “C-level” executives.

Comma-separated value(s) file.

Cross-site WebSocket hijacking. Pronounced as letters, the whole phrase, “WebSocket hijacking,” or “C-swish.” Spell out on first use.

Capture the flag. Spell out on first use in public-facing documents.

A U.S. wireless association.

Chief technology officer.

Short for clickthrough rate or Counter Mode. Spell out on first use.

An error in early Apple dictionaries corrected “cooperation” to “Cupertino” because their limited word list only included “co-operation” as correct.

Client URL. A data transfer tool. Use the tech font when writing about the specific command. Pronounced “curl.”

Common Vulnerabilities and Exposures. A system that catalogs publicly known vulnerabilities and exposures. Do not spell out. Write CVE ID numbers in the normal font.

Common Vulnerability Scoring System. Spell out on first use in public-facing documents.

Content warning. Do not abbreviate in formal writing.

Common Weakness Enumeration. Do not spell out. Write weaknesses in the normal font.

Cover your ass. Informal.

Industry professionals don’t use this prefix, but it’s helpful when informing the public, as in the title of this document. For many users, “cyber” on its own invokes cybersex, not hacking. Use sparingly.

A dictionary file based on this style guide’s word list that augments your word processor’s spell checker. Available at https://github.com/bishopfox/cyberdic.

A framework that describes the phases of digital attacks from information gathering to full system control. Originates from the military concept kill chain, which it is sometimes abbreviated to. Avoid using this trademarked term to mean a generic attack chain.

A subgenre of science fiction.

Defense contractors and government officials use this term or “infosec.” Industry professionals do not prefer this term, but it is used for clarity with the public, as in the title of this document. We prefer the term information security.

A hybrid organic being. Coined in 1960 as a contraction of cybernetic and organism.

A reverse engineering tool for iOS devices.

An app found on jailbroken iOS devices.

A fictional cyborg in Battlestar Galactica.

An activist who promotes cryptography and privacy.