Glossary

Software-as-a-Service is a software delivery method. Users access SaaS via the internet rather than downloading and installing a software application on a device. SaaS products typically are sold on a subscription basis rather than a one-time purchase.

Security controls are safeguards and countermeasures implemented to monitor systems, reduce the attack surface, detect vulnerabilities, prevent cyber attacks, and mitigate risks.

Security monitoring is the process of continuously scanning a company’s IT systems and maintaining real-time or near-real-time awareness of the activities and events occurring within those systems. Security monitoring solutions alert security teams when abnormal activity is discovered, allowing them to investigate and respond to vulnerabilities and threats before they escalate into an incident that causes significant harm.

According to the National Institute of Standards and Technology, a cyber security risk assessment identifies the risk to your organization’s operations, assets, users, and more through the use of information technology. Since risk is always present in business, a thorough assessment tests the protection in place to effectively mitigate risk.

Shadow IT comprises information technology systems, such as devices, software, services, and applications employees are using without the explicit approval of the company’s IT department. It’s not being actively managed and monitored by the company’s security team, meaning shadow IT can introduce serious security vulnerabilities. Vulnerability scanners only scan what is known — the sources the company feeds the system for scanning — so they overlook shadow IT because the company isn’t aware it exists. On the other hand, attack surface management solutions identify shadow IT through comprehensive digital supply chain discovery.

Social engineering is a sophisticated cyber attack method that uses manipulation and deception tactics to trick the victim into divulging sensitive information or providing access to information systems containing sensitive data. Social engineering comprises various attack methods such as phishing, ransomware, pretexting, and baiting, among others.

Spear phishing campaigns are a type of social engineering attack that targets specific people in an organization. These malicious actors research high-value targets (for example, people with advanced permissions on the platform or account managers for celebrities) and send trustworthy emails to request money or information. To make their emails look trustworthy, they use domains similar to the organization they’re targeting, maybe with one letter in the middle as the only difference. Sometimes, a valid domain of the organization can be hijacked, allowing the malicious actor to send an email with a legitimate domain.

Subsidiary assets are owned or managed by a company’s subsidiaries outside of the company’s networks. They may be known or unknown. In mergers and acquisitions, subsidiary assets are a prominent concern for parent companies. Attack surface management solutions offering robust digital supply chain discovery identify subsidiary assets, their connections, and any associated risks or vulnerabilities.

Digital supply chain risk management focuses on the security risks and vulnerabilities in all the components of the digital supply chain. As organizations deploy more and more services and applications online, the greater the likelihood that they’ve incorporated code, data, or other functionality from a third party into that application. The challenge is identifying the risk those third parties represent for your organization, including potential financial or reputation damages if a breach should occur.