The Censys
Cybersecurity Glossary

The process of identifying internet assets that are part of an attack surface. Connections between the assets and the attack surface should be determined in an automated fashion, prioritizing only high-confidence findings to reduce false positives. Asset discovery is a foundational capability of Attack Surface Management, and should be conducted as frequently as possible.

The set of internet assets relevant to an organization’s cybersecurity posture that an attacker can attempt to gain access to or compromise. Both internal and external assets make up an attack surface and can live on-premises, in the cloud, with shared hosting providers, and other third-party dependencies. An attack surface includes all assets, whether they are known or unknown, and whether they are protected by an IT/security team or left unguarded.

A proactive approach to exposure management involving the continuous discovery, inventory, and monitoring of an organization’s IT infrastructure, both known and unknown. Attack Surface Management (ASM) is a continuous process involving both inside-out and outside-in visibility of assets. ASM gives security programs the ability to understand and share context across teams to become proactive in building secure solutions and protecting the business. External Attack Surface Management (EASM) is a function within the larger Attack Surface Management process focused specifically on the external attack surface.

Censys Attack Surface Management is a best-in-class ASM solution which empowers security teams to gain full visibility into their attack surfaces. An outside-in view, or attacker’s perspective, of every asset and exposure is refreshed daily, hourly, or on-demand, giving your organization near-real time visibility and context so you can manage and communicate your cybersecurity posture. Your external attack surface is also assessed for risks and each is prioritized by what is important to you.

A method during port scanning of analyzing every server response to identify its underlying service, even if the service is non-standard for the port number (i.e. SSH on port 1234). This accounts for the fact that any service can be running on any port. Around 60% of all services observed on the internet are found on a non-standard port.

The foundation of the Censys Platform is our data. Founded by the creators of zMap, Censys’ proprietary map of the internet offers the most coverage, fastest discovery, and the deepest insights available. The Censys Internet Map is the most comprehensive, up-to-date collection of global internet infrastructure enriched with critical context to empower your security and intelligence teams.

The Censys Internet Map by the numbers:

• 10B certificates
• 137 Top Ports
• 1,440 cloud ports daily
• 3,502 ports weekly
• >200M IPv4 Hosts
• >80M IPv6 Hosts
• >580M name-based hosts
• Daily refreshes on all (>2B) services
• 7 years historical data

The leading Internet Intelligence Platform for Threat Hunting and Exposure Management, founded on the most comprehensive, accurate, and up-to-date map of the internet available. To ensure security teams have visibility into the threat landscape, they need access to a comprehensive and highly contextualized dataset for both proactive and reactive security analysis at scale. With the Censys Platform, organizations can get the most accurate data available, enabling teams to take down threats as close to real-time as possible, with no deployment or configuration required.

An integration with cloud accounts that is used for shadow cloud discovery, exposure monitoring, and cloud asset inventory. Information from all internet-facing assets in a given cloud account (Amazon S3, Azure Blob, Google Cloud Storage, virtual instances, databases, etc.) is continuously fed into an ASM platform, ideally as frequently as possible, enriching the asset discovery process and providing total cloud visibility. Cloud connectors are available within the Censys Attack Surface Management platform, and empower users to gain total cross-cloud visibility.

Software that is used to control the servers on which they appear over the internet. Like any software, they have uniquely identifiable default settings and configurations. This can provide security professionals with tools to test their defenses, but they can also be leveraged for malicious actions.

A term coined by the analyst firm Gartner that refers to the “set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure, and exploitability of an enterprise’s digital and physical assets.” Exposure management solutions, like Censys Attack Surface Management, that uncover unknown assets and continuously monitor an attack surface can be part of a CTEM strategy.

The assets, systems, and networks (both physical and virtual) that are essential to a functioning economy and national security. Critical infrastructure is an attractive target for hacker groups and nation-state threat actors; the 2021 Colonial Pipeline Attack is one example of a recent attack on critical infrastructure. Countries like the United States have made defending critical infrastructure from cyber attacks a key priority. In their 2023 national cybersecurity strategy, the Biden Administration stated that, “defending critical infrastructure against adversarial activity and other threats requires a model of cyber defense that emulates the distributed structure of the internet. Combining organizational collaboration and technology-enabled connectivity will create a trust-based ‘network of networks’ that builds situational awareness and drives collective action”.

All potential ingress points on a given asset that can be seen from an outside-in perspective (internet-facing). Exposures in themselves do not determine the overall risk to an organization, but present opportunities that can be exploited by attackers, and should be monitored or addressed.

A proactive cybersecurity strategy that seeks to identify and manage all assets that are exposed on the public-facing internet. Exposure management helps organizations better identify risks across their attack surface to prevent a cyber attack. An exposure management strategy can be carried out with the support of Attack Surface Management solutions.

An Internet-facing entity that an organization controls in order to conduct business on the Internet, including IP addresses, netblocks (CIDRs), autonomous systems (ASNs), certificates, domains and subdomains, websites, and storage objects. A collection of External Assets represents an organization’s external attack surface.

The set of external assets relevant to an organization’s cybersecurity posture. The external attack surface includes both known and unknown assets, and has become the number one entry point of security incidents and breaches.

A tool or process that continually discovers, inventories, and monitors the exposure of known and unknown external assets. External Attack Surface Management is part of a larger Attack Surface Management process or program, and should prioritize the outside-in visibility of external assets, as these will be the most accessible to attackers.

When a cybersecurity solution or cybersecurity team incorrectly classifies activity on an attack surface as a risk. The frequent occurrence of false positives can lead security teams to waste unnecessary time and resources investigating benign activity, and can result in “risk fatigue”. A study from Forrester Research finds that on average, Censys ASM customers experience 70% fewer false positives.

The ability to retrieve details about an asset on the internet, like a host or a certificate, from an earlier point in time. Censys users can leverage historical data collected from our internet map to better understand the behavior of internet devices over time and to inform their threat hunting efforts. Users can observe changes to a specific asset or group of assets on any given day within the past two years.

The presence of security configurations and protocols that are not implemented or that are implemented incorrectly, resulting in gaps to an organization’s security posture. Examples of misconfigurations include unencrypted services, weak or missing security controls, and self-signed certificates. Research from Censys finds that misconfigurations are the most prevalent type of risk observed on the internet, accounting for four of the five most commonly observed risks.

A command entered into an internet search tool that is used to retrieve information about an asset or group of assets. A query, or “search query,” can return a wide range of information about assets on the internet, including details about a host’s geographic location, software, and operating systems. The Censys Research Team frequently shares queries that users can run to inform their own investigations into unusual internet assets and threats.

A type of malware attack that uses encryption to lock out users from their systems until a sum of money is paid to the threat actors(s) deploying the attack. Some ransomware attacks threaten to expose data if victims do not pay within a requested time period. Ransomware can be spread through malicious attachments in emails, software apps, and websites, among other sources embedded with malware code.

The process of mitigating or eliminating a vulnerability or threat to an organization’s network. Remediation can occur before malicious activity impacts an organization, such as at first discovery of a phishing attempt, or it may occur in response to the activity to limit damage, such as after a breach.

Triggering a port scan of any host within an attack surface to rescan all known services, refreshing host data with its most current configuration from an outside-in perspective. This is often used as a “trust, but verify” mechanism as the final step of any exposure remediation efforts.

The potential for an exposure to negatively impact an organization if exploited or acted upon by an attacker. The overall severity of a risk is determined by a combination of the exposure itself and the underlying data, business context, or importance to an IT ecosystem. Risk severity may be different on a case by case basis.

Cloud-hosted, internet-facing assets that live outside of any environments protected by an organization’s security program. Shadow cloud is the result of managed and unmanaged cloud adoption within an organization, and most commonly occurs as parts of the organization outside of IT create cloud services, often circumventing any formal IT process.

Internet-facing assets that are not cohesively maintained, managed, and protected by an organization. Shadow IT presents easy-to-exploit attack vectors due to these assets being outside the scope of security tooling, and thus having minimal protection in place. Common sources of Shadow IT are legacy infrastructure, newly inherited assets through a merger or acquisition, non IT-managed assets being created by other parts of the organization, and the adoption of cloud services.

A proactive approach to cybersecurity in which skilled analysts use internet intelligence and other cybersecurity tools to seek out and identify risks, vulnerabilities, and other potentially malicious threats to the organization. Threat hunting is a form of vigilant defense that helps organizations stay ahead of threat actors. It involves threat hunters developing hypotheses based on the known behaviors of threat actors and validating or disproving these hypotheses through investigations.

A cybersecurity strategy that continuously identifies and evaluates security vulnerabilities in systems so that organizations can prioritize threats and better protect their assets. Vulnerability management solutions begin with scanning to evaluate known assets; if vulnerabilities on those assets are discovered, a VM solution will then assess and prioritize the vulnerabilities. Unlike ASM, which identifies both known and unknown assets, VM only looks at the assets which are already known to an organization. Security teams can enrich their VM efforts with ASM by adding newly discovered assets to their inventory for ongoing monitoring and management.

All named HTTP(S) services such as websites, elasticsearch instances, kubernetes clusters, and prometheus endpoints. Users of Censys Attack Surface Management can use our Web Entities feature to gain visibility into their websites and other name-based HTTP content. These assets can be discovered, monitored, assessed for risks, and triaged so that teams can better defend against places where attacks happen. The Web Entities feature has been modeled to better reflect the cloud infrastructure that most teams use to deploy their websites and name-based HTTP services.

Also known as SSL certificates, X.509 certificates help mitigate risk on the internet by enabling encryption for web traffic and acting as identity verification. Because certificates are useful for verifying an entity’s identity, they can provide helpful pivots in threat hunts and other investigations. Censys has the largest X.509 certificate repository in existence, which users can explore with advanced, granular searching capabilities to quickly retrieve the information they need.

A security principle or architecture framework that is applied to an organization’s IT systems. Zero trust is used to secure infrastructure, and it requires that all individuals attempting to access that infrastructure be continuously authenticated and validated. As the name suggests, a zero trust model does not give an attempted user, even those within the organization, implicit trust without verification. There are three principles of zero trust as defined by the NIST: 1.) Enhanced identity government and policy based controls 2.) Micro-segmentation 3.) Overlay networks and software-defined perimeters.