# IT security knowledge base, vetosec

Every IT security term, explained for small and mid sized businesses in Austria. Each entry answers the question in its first sentence.

## Basics

### IT security for SMEs
What does IT security mean for an SME?

IT security in a small or mid sized business means reliably doing the few things that stop most real attacks: current systems, tested backups, two-factor login, clean permissions and staff who recognise phishing.

Full entry: https://vetosec.at/en/it-security/it-sicherheit-kmu/

### Vulnerability and vulnerability assessment
What is a vulnerability?

A vulnerability is a flaw or misconfiguration in software, hardware or settings that lets an attacker into a system. A vulnerability assessment searches for these points systematically and rates their risk.

Full entry: https://vetosec.at/en/it-security/schwachstelle/

### Attack surface
What is an attack surface?

An attack surface is the sum of all the points through which someone could enter your IT: every reachable device, account, application and interface. Each of those points needs updates and supervision. The smaller the attack surface, the fewer places you have to defend.

Full entry: https://vetosec.at/en/it-security/angriffsflaeche/

### Security objectives: confidentiality, integrity, availability
What are the three security objectives of information security?

The security objectives of information security are confidentiality, integrity and availability. Confidentiality means that only authorised people can see the data. Integrity means the data stays unaltered. Availability means data and systems are there when you need them.

Full entry: https://vetosec.at/en/it-security/schutzziele/

### Zero trust
What is zero trust?

Zero trust is a security model in which every request for access is verified on its own, including requests that come from inside the company network. The check covers who is asking, from which device and for which data. Permissions are limited to what the task requires.

Full entry: https://vetosec.at/en/it-security/zero-trust/

### IT asset inventory
What is an IT asset inventory?

An IT asset inventory is an up to date list of every device, application, account and service your business uses. It records what exists, where it runs and who is responsible for it. The inventory is the basis for updates, backups and any response to a security incident.

Full entry: https://vetosec.at/en/it-security/it-inventar/

## Audit and testing

### IT security check
What is an IT security check?

An IT security check is a structured review of a company's IT. It records the current state of network, servers, workstations and access, rates the risks it finds and orders them by urgency.

Full entry: https://vetosec.at/en/it-security/it-sicherheitscheck/

### IT security audit
What is an IT security audit?

An IT security audit reviews a company's IT security against a benchmark defined in advance. That benchmark can be a recognised standard, a set of legal requirements or the auditor's own checklist.

Full entry: https://vetosec.at/en/it-security/it-sicherheitsaudit/

### IT audit
What is an IT audit?

An IT audit is the systematic review of an organisation's information technology, meaning the systems, the processes and the evidence behind them.

Full entry: https://vetosec.at/en/it-security/it-audit/

### Penetration test
What is a penetration test?

A penetration test is a commissioned, controlled attempt to attack your own systems. It proves whether a vulnerability can actually be exploited.

Full entry: https://vetosec.at/en/it-security/penetrationstest/

### Vulnerability scan
What is a vulnerability scan?

A vulnerability scan is an automated review of systems for known security flaws and misconfigurations. Software compares the versions and settings it finds with public vulnerability databases and reports every match together with a rating of the risk.

Full entry: https://vetosec.at/en/it-security/schwachstellenscan/

### Gap analysis
What is a gap analysis in IT security?

A gap analysis compares the current state of IT security against a defined target state and records every gap between the two. The target comes from a requirement catalogue such as the GDPR, ISO/IEC 27001 or a client's security questionnaire. The result is a prioritised list of open points.

Full entry: https://vetosec.at/en/it-security/gap-analyse/

### Findings report and action plan
What is an audit findings report and action plan?

An audit findings report is the written result of an IT review. It records what was examined, what was found and how serious each individual finding is. The action plan puts those findings in order of urgency and names the concrete remedy for each one.

Full entry: https://vetosec.at/en/it-security/befund-massnahmenplan/

## Attacks

### Ransomware
What is ransomware?

Ransomware is malware that encrypts your data and demands a ransom to release it. The data is often copied before encryption as well, so the attacker can threaten to publish it.

Full entry: https://vetosec.at/en/it-security/ransomware/

### Phishing
What is phishing?

Phishing is an attempt to obtain credentials or money through faked messages. The message poses as a known sender and creates time pressure.

Full entry: https://vetosec.at/en/it-security/phishing/

### Social engineering
What is social engineering?

Social engineering is the deliberate manipulation of people in order to obtain credentials, information or money. The attacker poses as someone trustworthy, such as a manager, a supplier or a technician, and exploits helpfulness, time pressure and authority.

Full entry: https://vetosec.at/en/it-security/social-engineering/

### CEO fraud and invoice fraud
What is CEO fraud?

CEO fraud is a scam in which criminals pose as company management and order an urgent transfer. In the related invoice fraud, a genuine invoice is intercepted or rebuilt with different bank details, so that the payment reaches the criminals.

Full entry: https://vetosec.at/en/it-security/ceo-fraud/

### Malware
What is malware?

Malware is software written to damage, spy on or remotely control a system. It covers viruses, trojans, ransomware, spyware and loaders whose only purpose is to fetch further malicious code.

Full entry: https://vetosec.at/en/it-security/malware/

### Password attack
What is a password attack?

A password attack is an attempt to sign in to an account using a password that has been guessed, stolen or leaked elsewhere. The targets are mainly the services reachable from the internet, such as webmail, remote maintenance, VPN access and cloud applications.

Full entry: https://vetosec.at/en/it-security/passwortangriff/

### Supply chain attack
What is a supply chain attack?

A supply chain attack uses a third party as the route into your business, for example an IT provider with remote access, a software vendor or a tampered update. The attacker breaks into a partner and travels onward into your systems through that partner's access or product.

Full entry: https://vetosec.at/en/it-security/supply-chain-angriff/

### DDoS attack
What is a DDoS attack?

A DDoS attack floods a service with simultaneous requests from many sources until genuine users can no longer reach it. DDoS stands for distributed denial of service, a blockade of a service mounted from many machines at once.

Full entry: https://vetosec.at/en/it-security/ddos/

### Zero-day vulnerability
What is a zero-day vulnerability?

A zero-day vulnerability is a flaw in software for which the vendor has no update available yet. When it is exploited before a fix exists, the event is called a zero-day attack. The name refers to the zero days the vendor had to correct the flaw.

Full entry: https://vetosec.at/en/it-security/zero-day/

### Data breach
What is a data breach?

A data breach is an incident in which data reaches people who have no right to it, whether through an attack, a misconfiguration or a simple mistake. Where personal data is involved, the GDPR calls it a personal data breach.

Full entry: https://vetosec.at/en/it-security/datenleck/

## Safeguards

### Backup and restore
What is a backup and why must it be tested?

A backup is a copy of your data. What decides its value is the restore: only a tested restore run proves the copy will hold when it counts.

Full entry: https://vetosec.at/en/it-security/backup-wiederherstellung/

### Two-factor authentication (2FA)
What is two-factor authentication?

Two-factor authentication asks for a second proof alongside the password at login, such as a code from an app or a security key you plug in. A stolen password on its own is then no longer enough to get in.

Full entry: https://vetosec.at/en/it-security/zwei-faktor-authentifizierung/

### Permission model and least privilege
What is a permission model?

A permission model defines who may access which data. The principle of least privilege gives every account exactly the rights its job requires.

Full entry: https://vetosec.at/en/it-security/berechtigungskonzept/

### SPF, DKIM and DMARC
What are SPF, DKIM and DMARC?

SPF, DKIM and DMARC are three records in the management of your internet domain. Together they stop outsiders from sending email in your domain's name.

Full entry: https://vetosec.at/en/it-security/spf-dkim-dmarc/

### The 3-2-1 backup rule
What is the 3-2-1 backup rule?

The 3-2-1 rule is a rule of thumb for backups: keep three copies of your important data, on two different types of storage media, with one copy held away from your premises. A single event such as a fire or a ransomware attack then reaches every copy at once only in rare cases.

Full entry: https://vetosec.at/en/it-security/drei-zwei-eins-regel/

### Password manager
What is a password manager?

A password manager is an application that stores a company's login credentials in an encrypted vault and enters them when you sign in. You remember one strong master password, and the manager generates and keeps a separate long password for every service you use.

Full entry: https://vetosec.at/en/it-security/passwortmanager/

### Patch management and updates
What is patch management?

Patch management is the disciplined handling of security updates. A patch is the correction a vendor issues to close a security flaw that has become known. Disciplined means that you know which systems you run, that you learn about new updates, and that you install them within an agreed deadline.

Full entry: https://vetosec.at/en/it-security/patch-management/

### Firewall
What is a firewall?

A firewall is a control point between your company network and the internet that permits or blocks every connection according to fixed rules. It decides which services can be reached from the internet and which connections are allowed to leave your network.

Full entry: https://vetosec.at/en/it-security/firewall/

### VPN
What is a VPN?

A VPN (virtual private network) is an encrypted connection that lets staff working away from the office dial into the company network. Traffic travels through a protected channel and stays unreadable to third parties along the way. The route opens only after a successful login.

Full entry: https://vetosec.at/en/it-security/vpn/

### Encryption
What is encryption?

Encryption converts readable data into an unreadable form using a secret key, so that only the holder of that key can read it again. In a company it protects data on laptops, mobile phones and external drives, as well as traffic travelling across the internet.

Full entry: https://vetosec.at/en/it-security/verschluesselung/

### Antivirus and EDR
What is EDR?

EDR (endpoint detection and response) is protective software for workstations and servers that spots suspicious sequences of activity, raises an alert and can isolate the affected device from the network. Traditional antivirus recognises malware by known signatures, and EDR adds observation of how programs behave.

Full entry: https://vetosec.at/en/it-security/edr-virenschutz/

### Network segmentation
What is network segmentation?

Network segmentation divides a company network into separate zones, with only expressly permitted connections between them. If one device is taken over, the damage stays inside its zone. Common zones are the office, the servers, production and the guest Wi-Fi.

Full entry: https://vetosec.at/en/it-security/netzwerksegmentierung/

### IT emergency plan
What belongs in an IT emergency plan?

An IT emergency plan is a short written instruction setting out who does what during an IT outage or cyber attack, who is contacted, and in which order operations resume. It is kept on paper, because in an emergency the IT itself is affected.

Full entry: https://vetosec.at/en/it-security/notfallplan/

### Security awareness training
What is security awareness training?

Security awareness training is a short, regularly repeated briefing for staff that makes common attacks on people recognisable, such as forged invoices, calls purporting to come from the managing director, and cloned login pages. It also establishes where a suspicion is reported.

Full entry: https://vetosec.at/en/it-security/awareness-schulung/

### Monitoring and logging
What are monitoring and logging in IT?

Monitoring and logging mean that IT systems are watched continuously and that important events are written down, such as logins, errors and changes to permissions. In an incident these logs show what happened, when, and through which access route someone entered.

Full entry: https://vetosec.at/en/it-security/monitoring-logging/

## Law and standards

### Technical and organisational measures (TOMs)
What are technical and organisational measures?

Technical and organisational measures are the safeguards the GDPR requires for the processing of personal data. Article 32 GDPR calls for a level of protection appropriate to the risk.

Full entry: https://vetosec.at/en/it-security/tom-dsgvo/

### NIS2
What is NIS2?

NIS2 is EU Directive 2022/2555 on network and information security. It obliges companies in certain sectors to run risk management, to report security incidents and it places responsibility explicitly on management.

Full entry: https://vetosec.at/en/it-security/nis2/

### ISO/IEC 27001
What is ISO 27001?

ISO/IEC 27001 is the international standard for an information security management system. It describes how an organisation records, treats and continuously reviews its security risks.

Full entry: https://vetosec.at/en/it-security/iso-27001/

### GDPR
What is the GDPR?

The GDPR is the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679). It has applied since 25 May 2018 and governs how organisations may process personal data, including the duty to protect that data with appropriate technical measures.

Full entry: https://vetosec.at/en/it-security/dsgvo/

### DORA
What is DORA?

DORA is Regulation (EU) 2022/2554 on digital operational resilience for the financial sector. It has applied since 17 January 2025 and requires financial entities to make their IT resilient against outages and attacks. Their ICT service providers are drawn into these duties as well.

Full entry: https://vetosec.at/en/it-security/dora/

### Data breach notification duty
When must a data breach be reported?

The data breach notification duty requires a personal data breach to be reported to the supervisory authority within 72 hours of the organisation becoming aware of it (Article 33 GDPR). Where a high risk is likely, the individuals affected must be informed as well (Article 34).

Full entry: https://vetosec.at/en/it-security/meldepflicht-datenpanne/

### Data processing agreement (DPA)
What is a data processing agreement?

A data processing agreement (DPA) is the contract required by Article 28 GDPR wherever a provider processes personal data on behalf of, and on the instructions of, a company. Typical cases are cloud storage, an external IT firm with remote access, or payroll software run in the cloud.

Full entry: https://vetosec.at/en/it-security/auftragsverarbeitung/

### Cyber insurance
What does cyber insurance cover?

Cyber insurance covers the financial consequences of an attack on a company's IT. A policy usually combines first-party cover, for example business interruption and data restoration, with third-party liability cover for claims brought by others. The precise scope is set out in the policy.

Full entry: https://vetosec.at/en/it-security/cyberversicherung/
