This glossary is from Learning Ransomware Response & Recovery by W. Curtis Preston and Dr. Mike Saylor. Browse all letters of the glossary or get the book.
C2 (Command and Control) Servers – External servers controlled by attackers that communicate with malware to send commands and receive stolen data.
Capacity Metrics – Measurements of a backup system’s storage, throughput, and processing capabilities.
CCPA (California Consumer Privacy Act) – California privacy regulation requiring breach notifications and consumer data protection.
CERT (Computer Emergency Response Team) – National or organizational teams that provide cybersecurity incident response services.
Certificate-based Authentication – An authentication method using digital certificates rather than passwords to verify identity.
Chain of Custody – Documented tracking of evidence handling from collection through analysis, crucial for legal proceedings and forensics.
Changed Block Tracking (CBT) – Technology that tracks which blocks on a disk have changed, enabling efficient incremental backups at the block level.
CISA (Cybersecurity and Infrastructure Security Agency) – United States federal agency responsible for cybersecurity and infrastructure protection, providing free resources, guidance, and incident response assistance.
Cl0p – A ransomware variant known for supply chain attacks and exploiting vulnerabilities like MOVEit.
Clean Room – See Sandbox Environment.
Cleaning – The process of removing malware while preserving the existing operating system, applications, and data (least reliable eradication method).
Clone/Cloning – Creating an exact duplicate of a virtual machine or system that can operate independently.
CMDB (Configuration Management Database) – A database that stores information about IT assets and their relationships within an organization.
Cobalt Strike – Originally a legitimate penetration testing tool, now widely weaponized by attackers for remote access and lateral movement.
Cold Site – A disaster recovery facility with basic infrastructure but no pre-installed systems, requiring complete setup during recovery.
Command and Control (C2) Server – A server controlled by attackers that sends commands to and receives data from compromised systems.
Common Vulnerability Scoring System (CVSS) – A standardized system for rating the severity of security vulnerabilities (0-10 scale).
Compliance – Adherence to legal, regulatory, or policy requirements (e.g., GDPR, HIPAA, PCI DSS, SOX, CCPA).
Configuration Management Database (CMDB) – A database that stores information about IT assets and their relationships within an organization.
Containment – The phase of incident response focused on preventing ransomware from spreading further while preparing for recovery.
Continuous Data Protection (CDP) – A backup method that continuously captures every change to data, allowing recovery to any point in time.
Conti – A ransomware variant known for wiping logs and aggressive attacks on critical infrastructure.
Correlation – The process of identifying relationships between different security events that together indicate malicious activity.
Credential Stuffing – An attack using stolen username/password combinations from one breach to attempt access to other services.
Cryptocurrency/Bitcoin – Digital currency commonly demanded in ransomware payments due to its difficulty to trace.
CSSP (Cybersecurity Service Provider) – Organizations providing specialized cybersecurity services including monitoring and incident response.
Cuckoo Sandbox – An open-source automated malware analysis tool for safely executing suspicious files.
Cumulative Incremental Backup – A backup that captures all changes since the last full backup, simplifying restoration compared to regular incrementals.
Curated Restore – An advanced restoration technique that automatically restores the latest clean version of each file before it was encrypted.
CVE (Common Vulnerabilities and Exposures) – A standardized identifier for publicly known security vulnerabilities.