Glossary
Plain-language definitions of key terms used in this playbook.
- After-action review (AAR)
- A structured, blameless review held after an incident to capture what happened, what worked, what didn’t, and what to change. Produces a written report with tracked actions.
- Backups (immutable / offline)
- Copies of data that cannot be altered or deleted by a normal admin (immutable) or are physically disconnected (offline). Critical for ransomware recovery.
- CISA
- U.S. Cybersecurity and Infrastructure Security Agency. Publishes the #StopRansomware guide and maintains free resources for higher education.
- Command and control (C2)
- Infrastructure attackers use to communicate with malware on compromised systems. Blocking C2 helps stop ongoing attacks.
- Containment
- Steps that stop an attack from spreading further: isolating hosts, disabling accounts, revoking sessions, blocking outbound traffic.
- Decryption key
- The key needed to reverse ransomware encryption. May or may not be supplied by attackers after payment; sometimes published by law enforcement.
- Detection
- Identifying that an intrusion or attack is occurring or has occurred, ideally before damage is done.
- Endpoint Detection and Response (EDR)
- Software that monitors laptops, desktops, and servers for malicious behavior and supports investigation and response.
- FERPA
- Family Educational Rights and Privacy Act (U.S.). Governs the privacy of student education records and shapes notification obligations.
- FIDO2 / WebAuthn
- Phishing-resistant authentication standards. Hardware keys and platform authenticators (Touch ID, Face ID, Windows Hello) implement them.
- Incident Commander
- The single person responsible for directing the response during an incident, regardless of normal seniority.
- Indicator of Compromise (IOC)
- An observable artifact (file hash, IP, domain, behavior) that suggests a system has been attacked.
- MFA / Multi-factor authentication
- Requiring more than a password to sign in, typically a code or hardware key. Phishing-resistant MFA (FIDO2) defeats most credential phishing.
- MFA fatigue
- Attack where an attacker repeatedly triggers MFA prompts hoping the user approves one out of frustration.
- NIST
- U.S. National Institute of Standards and Technology. Publishes the Cybersecurity Framework and SP 800-61 for incident response.
- Phishing
- Deceptive messages (email, SMS, voice, web) that trick users into entering credentials, running malware, or approving fraudulent transactions.
- Ransomware
- Malware that encrypts files and/or steals data, then demands payment to restore access or to prevent publication.
- RDP
- Remote Desktop Protocol. Frequently abused by attackers when exposed to the internet without strong controls.
- Segmentation
- Dividing a network into zones so a compromise in one area can’t spread freely to others.
- Tabletop exercise
- A facilitated discussion-based drill where leaders walk through their response to a hypothetical incident.
- Third-party risk
- Risk introduced by vendors, SaaS providers, and contractors. Recent higher-ed ransomware impact has been driven heavily by exploited third-party software.