Introduction to Cybersecurity
Cross-Site Scripting (XSS)
A Web application fault that occurs when an application running on a Web server inserts commands into a user's browser session and causes information to be sent to a hostile server.
Integer Bug
A class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers.
Service Level Agreement (SLA)
A document or part of a document that specifies the expected level of service from a service provider. An SLA usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime.
Distributed Denial-of-Service (DDoS Attack)
A form of DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies.
Session Hijacking and TCP Hijacking
A form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications. TCP/IP is short for Transmission Control Protocol/Internet Protocol.
Pretexting
A form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target's identity, but the real object is to trick the target into revealing confidential information. Pretexting is commonly performed by telephone.
Phishing
A form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.
Advance-Fee Fraud (AFF)
A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer.
Man-in-the-Middle
A group of attackers whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner. Some man-in-the-middle attacks involve encryption functions.
Script Kiddie
A hacker of limited skill who uses expertly written software to attack a system. Also known as skids, skiddies, or script bunnies.
Cyberterrorist
A hacker who attacks systems to conduct terrorist activities via networks or internet pathways.
Professional Hacker
A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government. Not to be confused with a penetration tester.
Cracker
A hacker who intentionally removes or bypasses software copyright protection designed to prevent authorized duplication or use.
Phreaker
A hacker who manipulates the public telephone system to make free calls or disrupt services.
Cyberactivist or Hacktivist
A hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Expert Hacker
A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information. Also known as elite hackers, they often create automated exploits, scripts, and tools used by other hackers.
Brownout
A long-term decreased in electrical power availability.
Surge
A long-term increase in electrical power availability.
Blackout
A long-term interruption (outage) in electrical power availability.
Back Door, Maintenance Hook, and Trap Door
A malware payload that provides access to a system by bypassing normal access controls. May also be an intentional access control bypass left by a system designer to facilitate development.
Trojan Horse
A malware program that hides its true nature and reveals its designed behavior only when activated.
Virus Hoax
A message that reports the presence of a nonexistent virus or worm and wastes valuable time as employees share the message.
Hacker
A person who accesses systems and information without authorization and often illegal.
Notice Hacker
A relatively unskilled hacker who uses the work of expert hackers to perform attacks. Also known as neophyte, n00b, or newbie. This category of hackers includes script kiddies and packet monkeys.
Packet Monkey
A script kiddie who uses automated exploits to engage in denial-of-service attacks.
Sag
A short-term decrease in electrical power availability.
Spike
A short-term increase in electrical power availability, also known as a swell.
Fault
A short-term interruption in electrical power availability.
Packet Sniffer or Sniffer
A software program or hardware appliance that can intercept, copy, and interpret network traffic.
Rainbow Table
A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.
Spoofing
A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.
Virus
A type of malware that is attached to other executable programs. When activated, it replicates and propagates itself to multiple systems, spreading by multiple communications vectors. For example, a virus might send copies of itself to all users in the infected system's e-mail program.
Worm
A type of malware that is capable of activation and replication without being attached to an existing program.
Macro Virus
A type of virus written in a specific macro language to target applications that use the language. The virus is activated when the application's product is opened. Typically affects documents, slideshows, e-mails, or spreadsheets created by Office Suite applications.
Dictionary Password Attack
A variation of the brute fore password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information.
Memory-Resident Virus
A virus that is capable of installing itself in a computer's operating system, starting when the computer is activated, and residing in the system's memory even after the host application is terminated.
Non-Memory Resident Virus
A virus that terminates after it has been activated, infected its host system, and replicated itself. Do not reside in an operating system or memory after executing.
Boot Virus
Also known as a boot sector virus, a type of virus that targets the boot secor or Master Boot Record (MBR) of a computer system's hard drive or removable storage media.
Bot and Zombie
An abbreviation of robot, an automated software program that executes certain commands when it receives a specific input.
Buffer Overrun or Overflow
An application error that occurs when more data is sent to a program buffer than it is designated to handle.
Command Injection
An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function.
Mail Bomb
An attack designed to overwhelm the receiver with excessive quantities of e-mail.
Denial-of-Service (DOS) Attack
An attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems.
Zero-Day Attack
An attack that makes use of malware that is not yet known by the anti-malware software companies.
Brute Force Password Attack
An attempt to guess a password by attempting every possible combination of characters and numbers in it.
Utility
An attribute of information that describes how data has value or usefulness for an end purpose. Information has value when it can serve a purpose.
Availability
An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction. Enables authorized users - people or computer systems - to access information.
Accuracy
An attribute of information that describes how data is free of errors and has the value that the user expects.
Authenticity
An attribute of information that describes how data is genuine or original rather than reproduced or fabricated.
Confidentiality
An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems. Examples include information classification, securing document storage, application of general security policies, education of information custodians and end users.
Integrity
An attribute of information that describes how data is whole, complete, and uncorrupted. Includes file size, possible worms, algorithms, and other red flags.
Possession
An attribute of information that describes how the data's ownership or control is legitimate or authorized.
Chief Information Officer
An executive-level position that oversees the organization's computing technology and strives to create efficiency in the processing and access of the organization's information.
10.4 Password Rule
An industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character.
Penetration Tester
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.
Attack
An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect. Someone who casually reads sensitive information not intended for their use is committing a passive attack. A hacker attempting to break into an information system is an intentional attack. A lightning strike that causes a building fire is an unintentional attack. A direct attack is perpetrated by a hacker using a PC to break into a system. An indirect attack is a hacker compromising a system and using it to attack other systems - for example, as part of a botnet (slang for robot network).
Attack
An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Can be active or passive and direct or indirect.
Availability Disruption
An interruption in service, usually from a service provider, which causes an adverse event within an organization.
Threat Event
An occurrence of an event caused by a threat agent. Example could be damage caused by a storm. Used commonly interchangeably with the term attack.
Threat
Any event or circumstance that has the potential to adversely affect operations and assets. The term threat source is commonly used interchangeably with the more generic term threat. While the two terms are technically distinct, in order to simplify the term threat describes threat sources.
Spear Phishing
Any highly targeted phishing attack.
Spyware
Any technology that aids in gathering information about people or organizations without their knowledge.
Cracking
Attempting to reverse-engineer, or bypass a password or other access control protection, such as the copyright protection on software.
Fail-Safe Defaults
Base access decisions on permission rather than exclusion.
Ransomware
Computer software specifically designed to identify and encrypt valuable information in a victim's system in order to extort payment for the key needed to unlock the encryption.
Malicious Code, Malicious Software, and Malware
Computer software specifically designed to perform malicious or unwanted actions.
Information
Data that has been organized, structured, and presented to provide additional insight into its context, worth, and usefulness. For example, a student's class average can be presented in the context of its value, as in "90 = A."
Security Professionals
Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint.
Early Stages of Security
Dominated by the physical security and simple document classification schemes. Primary threats were theft of equipment, espionage, and sabotage.
Jailbreaking
Escalating privileges to again administrator-level or root access control over a smartphone operating system (typically associated with Apple iOS smartphones).
Rotting
Escalating privileges to gain administrator-level control over a computer system (including smartphones). Typically associated with Android OS smartphones.
Complete Mediation
Every access to every object must be checked for authority.
Least Privilege
Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
Cyberwarfare
Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state. Sometimes called Information Warfare.
Protecting Digital Assets
Identity - Protect - Detect - Respond - Recover.
Polymorphic Threat
Malware (a virus or worm) that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.
Adware
Malware intended to provide undesired marketing and advertising, including popups and banners on a user's screens.
People
Often overlooked but always been a threat to information security. The weakest link in an organization's information security program.
Data
Often the most valuable asset of an organization and therefore is the main target of intentional attacks.
Components of Information Systems
Procedures - People - -Hardware - Software - Data.
Security
Protection from adversaries - those who would do harm, intentionally or otherwise - is the ultimate objective.
Information Security
Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.
Initiation
Security considerations are key to diligent and early integration, ensuring that threats are mitigated. Initial delineation of business requirements in terms of confidentiality, integrity, and availability. Determination of information categorization and identification of known special handling requirements to transit, store, or create information such as personally identifiable information. Determination of any privacy requirements.
Control, Safeguard, or Countermeasure
Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization.
Implementation/Assessment
System is installed and evaluated in the organization's operational environment. Integrate the information system into its environment. Plan and conduct system certification activities in synchronization with testing of security controls. Complete system accreditation activities.
Operations and Maintenance
Systems are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and/or software is added or replaced. Monitored for continued performance. Conduct an operational readiness review. Manage the configuration for the system. Institute processes and procedures for assured operations and continuous monitoring of the information system's security controls. Perform reauthorization as required.
Information Extortion
The act of an attacker or trusted insider who steals or interrupts access to information from a computer system and demands compensation for its return or for an agreement no to disclose the information.
Mean Time to Diagnose (MTTD)
The average amount of time a computer repair technician needs to determine the cause of a failure.
Mean Time to Repair (MTTR)
The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
Mean Time Between Failure (MTBF)
The average amount of time between hardware failures calculated as the total amount of operation time for a specified number of unites divided by the total number of failures.
Mean Time to Failure (MTTF)
The average amount of time until the next hardware failure.
Competitive Intelligence
The collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage.
Industrial Espionage
The collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage. Also known as corporate spying, which is distinguished from espionage for national security reasons.
Intellectual Property (IP)
The creation, ownership, and control of original ideas as well as the representation of those ideas.
Open Design
The design should not be secret, but rather depend on the possession of keys or passwords.
Shoulder Surfing
The direct, covert observation of individual information or system use.
Protection Profile or Security Posture
The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements to protect the asset. The terms are sometimes used interchangeably with the term security program, although a security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs.
Investigation
The first phase, and most important. What problem is the system being developed to solve? This phase begins by examining the event or plan that initiates the process. During this phase, the objectives, constraints , and scope of the project are specified. A preliminary cost-benefit analysis evaluates the perceived benefits and their appropriate levels of cost. At the conclusion of this phase and at every phase afterward, a process will be undertaken to assess economic, technical, and behavioral feasibilities and ensure that implementation is worth the organization's time and effort.
Information Asset
The focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.
Theft
The illegal taking of another's property, which can be physical, electronic, or intellectual.
C.I.A. Triad
The industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information: Confidentiality, Integrity, and Availability.
Domain Name System (DNS) Cache Poisoning
The intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate internet locations. Also known as DNS spoofing.
Asset
The organizational resource that is being protected. An asset can be logical, such as a Web site, software information, or data; or an asset can be physical, such as a person, computer system, hardware, or other tangible object. The focus of what security efforts are attempting to protect.
Uptime
The percentage of time a particular service is available; the opposite of downtime.
Downtime
The percentage of time a particular service is not available; the opposite of uptime.
Hardware
The physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.
Noise
The presence of additional and disruptive signals in network communications or electrical power delivery.
Risk
The probability of an unwanted occurrence, such as an adverse event or loss. Organizations must minimize risk to match their risk appetite - the quantity and nature of risk they are willing to accept.
Social Engineering
The process of usually social skills to convince people to reveal access credentials or other valuable information to an attack.
Communications Security
The protection of all communications media, technology, and content.
Pharming
The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information.
Software Piracy
The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property.
Privilege Escalation
The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.
Chief Information Security Officer (CISO)
Typically considered the top information security officer in an organization. Usually not an executive-level position, and frequently the person in this role reports to the CIO.
Trespass
Unauthorized entry into the real or virtual property of another party.
Spam
Undesired e-mail, typically commercial advertising transmitted in bulk.
Networks
When information systems are connected to each other to form LANs and these LANs are connected to other networks such as the Internet. Must have firewalls to protect systems.
Separation of Privilege
Where feasible, a protection mechanisms should require two keys to unlock, rather than one.
Systems Administrators
People with the primary responsibility for administering systems that house the information used by the organization.
Analysis
This phase begins with the information gained during the investigation phase. Consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems. Analysts begin by determining what the new system is expected to do and how it will interact with existing systems. This phase ends with documentation of the findings and an update of the feasibility analysis.
Threat Source
A category of objects, people, or other entities that represents the origin of danger to an asset - in other words, a category of threat agents. Are always present and can be purposeful or undirected. Hackers are intentional, storms are not.
Database
A collection of related data stored in a structured form and usually managed by a database management system.
Subjects and Objects of Attack
A computer can be either the subject of an attack - an agent entity used to conduct the attack - or the object of an attack: the target entity. A computer can also be both the subject and object of an attack. It can be compromised by an attack (object) and then used to attack other systems (subject).
Exposure
A condition or state of being exposed; in information security, exposure exists when a vulnerability is known to an attacker.
Methodology
A formal approach to solving a problem based on a structured sequence of procedures. Ensures a rigorous process with a clearly defined goal and increases the probability of success. Once adopted, the key milestones are established and a team is selected and made accountable for accomplishing the project goals.
McCumber Cube
A graphical representation of the architectural approach widely used in computer and information security; commonly shown as a cube composed of 3x3x3 cells, similar to a Rubik's Cube. Includes 27 cells representing areas that must be addressed to secure today's information systems. Each of the 27 areas must be properly addressed during the security process.
Community of Interest
A group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
Bottom-Up Approach
A method of establishing security policies and/or practices that begins as a grassroots effort in which system administrators attempt to improve the security of their systems. Key advantage is the technical expertise of individual administrators. Possess in-depth knowledge that can greatly enhance the development of an information security system. Threats are familiar and what is needed to protect them. Lacks critical features such as participant support and organizational staying power.
Software Assurance (SA)
A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages. SA attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence.
Systems Development Life Cycle (SDLC)
A methodology for the design and implementation of an information system. The SDLC contains different phases depending on the methodology deployed, but generally the phases address the investigation, analysis, design, implementation, and maintenance of an information system.
Top-Down Approach
A methodology of establishing security policies and/or practices that is initiated by upper management. Higher probability of success. Project is initiated by upper-level managers who issue policies, procedures, and processes; dictate the goals and expected outcomes; and determine accountability for each required action.
National Security
A multilayered system that protects the sovereignty of a state, its assets, its resources, and its people.
Vulnerability
A potential weakness in an asset or its defensive control systems.
Vulnerability
A potential weakness in an asset or its defensive control systems. Some example of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door.
Team Leader
A project manager who may also be a departmental line manager or staff unit manager, and who understands project management, personnel management, and information security technical requirements.
Champion
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization.
Personally Identifiable Information (PII)
A set of information that could uniquely identify an individual.
Loss
A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use. When an organization's information is stolen, it has suffered a loss.
Project Team
A small functional team of people who are experienced in one or multiple facets of the required technical and nontechnical areas for the project to which they are assigned.
Security
A state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure.
Access
A subject or object's ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system whereas hackers must gain illegal access to a system. Access controls regulate this ability.
Network Security
A subset of communications security; the protection of voice and data networking components, connections, and content.
Database Security
A subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media.
Exploit
A technique used to compromise a system.
Exploit
A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or created by the attacker. Exploits make use of existing software tools or custom-made software components.
Waterfall Model
A type of SDLC in which each phase of the process "flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.
Media
As a subset of information assets, the systems and networks that store, process, and transmit information.
Data Security
Commonly used as a surrogate for information security, is the focus of protecting data or information in its various states - at rest (in storage), in processing, and in transmission (over networks).
Development/Acquisition
Conduct the risk assessment and use the results to supplement the baseline security controls. Analyze security requirements. Perform functional and security testing. Prepare initial documents for system certification and accreditation. Design security architecture.
C.I.A. Triad
Confidentiality, Integrity, Availability. Also include authenticity, accountability, non-repudiation.
Physical Design
During this stage, specific technologies are selected to support the alternatives identified and evaluated in the logical design. The selected components are evaluated based on a make-or-buy decision - the option to develop components in-house or purchase them from a vendor. Final designs integrate various components and technologies. After yet another feasibility analysis, the entire solution is presented to the organization's management for approval.
Disposal
Final phase closeout of any contracts in place. Issues addressed explicitly. When transferred, obsolete, or are not longer useable, important that resources and assets are protected. Activities ensure the orderly termination of the system and preserve vital information. Building and executing a disposal/transition plan. Archival of critical information. Sanitization of media. Disposal of hardware and software.
Computer Security
In the early days of computers, this term specified the need to secure the physical location of computer technology from outside threats. This term later came to represent all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in an organization has expanded.
Implementation
In this phase, any needed software is created. Components are ordered, received, and tested. Afterward, users are trained and supporting documentation created. Once all components are tested individually, they are installed and tested as a system. A feasibility analysis is again prepared, and the sponsors are then presented with the system for a performance review and acceptance test.
Logical Design
In this phase, the information gained from the analysis phase is used to begin creating a system solution for a business problem. In any system solution, the first and driving factor must be the business need. Based on the business need, applications are selected to provide needed services, and then the team chooses data support and structures capable of providing the needed inputs. Finally, based on all of this, specific technologies are delineated to implement the physical solution. Is the blueprint for a desired solution. Independent, meaning that it contains no reference to specific technologies, vendors, or products. Instead, it addresses how the proposed system will solve the problem at hand. In this stage, analysts generate estimates of costs and benefits to allow for a general comparison of available options. At the end of this phase, another feasibility analysis is performed.
Software
Includes applications (programs), operating systems, and assorted command utilities. The most difficult component to secure. Often created under the constraints of project management, which limit time, costs, and manpower.
Data Owners
Individuals who control, and are therefore responsible for, the security and use of a particular set of information; may rely on custodians for the practical aspects of protecting their information, specifying which users are authorized to access it, but they are ultimately responsible for it.
Data Custodians
Individuals who work directly with data owners and are responsible for storage, maintenance, and protection of information.
Data Users
Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization's planning and operations.
The Phases of a Traditional SDLC
Investigation - Analysis - Logical Design - Physical Design - Implementation - Maintenance and Change
Psychological Acceptability
It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.
Data
Items of fact collection by an organization. Includes raw numbers, facts, and words. Student quiz scores are a simple example.
Economy of Mechanisms
Keep the design as simple and small as possible.
Least Common Mechanism
Minimize mechanisms (or shared variables) common to more than one user and depended on by all users.
Risk Assessment Specialists
People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.
Security Policy Developers
People who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies.
Information Security
Protects the organization's ability to function. Protects the data and information the organization collects and uses, whether physical or electronic. Enables the safe operation of applications running on the organization's IT systems. Safeguards the organization's technology assets.
Information System (IS)
The entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization.
Information Systems
Software. Hardware, Data. People. Procedures. Networks.
Information Security
The protection of information and its critical elements, including the systems and hardware that use, store, and transmit the information.
Information Security
The protection of information assets that use, store, or transmit information through the application of policy, education, and technology.
Physical Security
The protection of physical items, objects, or areas from unauthorized access and misuse. Includes protecting physical assets from harm or theft.
Threat Agent
The specific instance or a component of a threat. An external professional hacker is a specific one. A lighting strike, hailstorm, or tornado is a threat agent that is part of the threat source known as "Acts of nature".
Maintenance and Change
This phase is the longest and most expensive of the process. Consists of the tasks necessary to support and modify the system for the remainder of its life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until the team determines that it should begin again. At periodic points, the system is tested for compliance, and the feasibility. Updates, and patches are managed. When a current system can no longer support the evolving mission of the organization, the project is terminated and a new project is implemented.
End Users
Those whom the new system will most directly affect. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls that do not disrupt the essential business activities they seek to safeguard.
Procedures
Written instructions for accomplishing a specific task. Ways that organizations go about doing something must be protected so they are not exploited.
X
X