This is a common refrain in the cybersecurity community. It means that no matter how much you harden a system, or how stringent your security policy is, a motivated attacker will find a way into your systems. So, since you have to assume that you can be breached you have to prepare for that eventuality.

IT and InfoSec are often used in connection with each other but they should be considered separate entities within the company.

IT stands for Information Technology and in broad terms are the people in the company responsible for managing and configuring the network servers and company owned devices.

InfoSec is a contraction of the words information and security, and while InfoSec professionals also work with network servers and company owned devices they focus on securing those devices against external and internal attacks.

While IT and InfoSec workers often work together, since IT workers have the most means to attack a company’s system their work is often overseen by the InfoSec team. As a result it is recommended that the IT and InfoSec teams don’t report to the same manager.

Salting is when you create a long and complicated password that you save in your password manager, but there is an extra 3-5 digits at the end of the password that only you know and that you do not save in your password manager.

You can use the same salt for every single new password that you create, so long as it is memorable to you and you never save or write it down anywhere (except maybe in your will).

Salting is an easy extra security step that the team at We Assume Breach recommends everyone take. It is a small extra layer of security that can frustrate hackers in the event of a password manager breach.

CISO: Chief Information Security Officer

CSO: Chief Security Officer

This terms are often used interchangeably when discussing the head of the InfoSec department. You may have one of these at your company, but it is unlikely that you would have both.

Also known as “Deceptive Design“ it is a deliberate choice by the designer to trick the user/consumer into choice they don’t want to make or don’t know they are making. We hate them!

MFA stands for Multi-Factor Authentication and is often used interchangeably with 2FA (second factor authentication) which isn’t wholly inaccurate. The way we recommend thinking about it is all 2FA is MFA but not all MFA is 2FA, kind of like how all dachshunds are dogs but not all dogs are dachshunds.

You can also use the words themselves to remember the difference, second factor literally means the SECOND factor, there are no others to contend with after you pass 2FA. Whereas multi-factor can be only 2 it can also be infinitely more then that, since MFA is the more inclusive term it is the one that we use on this site.

This is a cybersecurity policy that assumes that a hacker can get past any one security measure but can be stymied, or at least slowed, by multiple layers of security. Giving the defender (you) enough time to respond and protect your workspace.

The Acronym for Single-Sign on, is something that you will encounter a lot in your career. You may recognize it from when you are signing up for a service and it asks if you want to use your google or apple account as your login. SSO’s are considered more secure when done correctly because they allow you to use a stronger form of MFA then is generally available for smaller sites.

For our purposes an attack surface is any service or protocol that provides potential exposure to a cyber threat.

Quite possibly the most effective tactic that hackers have in their toolkit to compromise an organization. Because it doesn’t matter how well protected your workspace is if an admin can be talked into compromising it over the phone.

Social engineering takes many forms, the most well known of which is probably phishing attacks, but any communication medium within an organization can be a vector for social engineering attacks.

This is exactly what is sounds like. It is when a person is peeking over your shoulder to watch your keystrokes to get your password, or to view your screen to glimpse confidential information.