This glossary is from Learning Ransomware Response & Recovery by W. Curtis Preston and Dr. Mike Saylor. Browse all letters of the glossary or get the book.
SaaS (Software as a Service) – Cloud computing service delivering applications over the internet on a subscription basis.
SAN (Storage Area Network) – High-speed network providing block-level storage access to multiple servers.
Sandbox – Isolated environment for safely executing suspicious code or testing systems without risking production environments.
Sandbox Environment – Isolated network environment used to safely restore, test, and verify systems without risk of reinfecting production.
Sandbox/Sandboxing – Isolated environment for safely executing and analyzing malicious software without risking production systems.
SANITIZE – Advanced storage device command that performs even more thorough data clearing than SECURE ERASE.
Scheduled Tasks – Automated jobs in operating systems where malware can install persistence mechanisms to restart after cleaning attempts.
Scientific Working Group on Digital Evidence (SWGDE) – Organization establishing standards for digital evidence handling.
Security Account Manager (SAM) – Windows database storing user passwords and security information.
Security Information and Event Management (SIEM) – Platform that aggregates and analyzes security logs from across an environment to detect threats.
Security Orchestration Automation and Response (SOAR) – Platform that automates security responses based on predefined playbooks.
Segregation/Segmentation – Separating systems, networks, or data into isolated sections to improve security and limit attack spread.
SEM (Security Event Management) – Real-time monitoring and analysis of security events; combined with SIM to create SIEM.
Service Account – Account used by applications or services to access resources, distinct from user accounts.
Service Level Agreement (SLA) – Formal agreement defining expected service levels, response times, and performance metrics.
SFTP (Secure File Transfer Protocol) – Encrypted file transfer protocol often monitored for data exfiltration attempts.
SHA256 – Cryptographic hash algorithm producing unique 256-bit fingerprints for verifying file integrity.
SIEM (Security Information and Event Management) – Platform combining log collection, normalization, correlation, and compliance reporting across entire IT environment.
SIM (Security Information Management) – Long-term log storage and analysis for compliance; combined with SEM to create SIEM.
SLA (Service Level Agreement) – Contract defining expected service quality, response times, and responsibilities with vendors or MSPs.
SMB (Server Message Block) – Common file-sharing protocol and frequent target for ransomware spread; SMBv1 has well-known vulnerabilities.
SMB/SMBv1 (Server Message Block) – Protocol for file sharing in Windows networks; SMBv1 has known vulnerabilities exploited by ransomware.
Snapshot – Point-in-time copy of a virtual machine or storage volume that captures the exact state including memory and disk contents.
SOAR (Security Orchestration, Automation, and Response) – Platform that automates and coordinates security responses across multiple tools and systems.
SOC (Security Operations Center) – Team or facility where security monitoring, detection, and incident response activities occur 24/7.
Social Engineering – Manipulation techniques that trick people into divulging confidential information or taking harmful actions.
SOX (Sarbanes-Oxley Act) – U.S. financial regulation requiring controls over financial reporting systems and data.
Static Analysis – Security analysis examining files on disk without executing them, versus dynamic analysis which runs the code.
Stolen Credentials – Usernames and passwords obtained through phishing, breaches, or other means, used for unauthorized access.
Supply Chain Attack – Attack compromising trusted software updates or third-party tools to distribute malware.
SWOT Analysis – Framework examining Strengths, Weaknesses, Opportunities, and Threats to understand situations and plan improvements.
Synthetic Full Backup – A backup created by combining existing full and incremental backups without re-copying data from source systems.