Cybersecurity Glossary for Home Security System Owners

Home security systems that connect to residential networks — including alarm panels, IP cameras, smart locks, and video doorbells — operate within a technical vocabulary that has direct consequences for how vulnerabilities are identified, disclosed, and remediated. This glossary defines the core cybersecurity terms applicable to residential security hardware and software, scoped to the specific threat surfaces present in home environments. Familiarity with these definitions supports informed conversations with installers, monitoring providers, and device manufacturers, and maps directly to the compliance frameworks governing connected residential devices.

Definition and scope

The cybersecurity terminology used in residential security contexts draws from three primary standards lineages: the National Institute of Standards and Technology (NIST) framework vocabulary codified in NIST SP 800-53 Rev. 5, the IoT-specific baseline definitions in NIST IR 8259A, and the consumer device guidance published by the Cybersecurity and Infrastructure Security Agency (CISA). These sources collectively define the terms below as they apply to residential environments — not enterprise networks.

The scope covers terminology relevant to five functional domains found in home security installations: network communication, authentication and access control, data protection, vulnerability management, and incident response. Terms from enterprise security that do not have a meaningful residential application (e.g., security information and event management platforms, PKI certificate authority chaining for enterprise endpoints) are excluded.

How it works

Cybersecurity terminology in this sector functions as a classification layer. Each term identifies either a threat class, a control mechanism, or an operational state. The definitions below are organized by domain.

Network Communication

Attack Surface — The sum of all points where an unauthorized party could attempt to interact with a device or system. For a video doorbell, the attack surface includes its Wi-Fi radio, its cloud API endpoint, its mobile app interface, and any open ports exposed to the local network. NIST defines attack surface in the context of system exposure enumeration within NIST SP 800-160.

Protocol — A defined set of rules governing data exchange between devices. Home security systems commonly use Z-Wave, Zigbee, Wi-Fi (IEEE 802.11), and Bluetooth Low Energy. Each protocol carries distinct security properties: Z-Wave uses AES-128 encryption in its Security 2 (S2) framework, while older Zigbee deployments may default to no encryption if the coordinator is not explicitly configured.

Man-in-the-Middle (MitM) Attack — An intrusion technique in which a third party intercepts and potentially alters communications between two endpoints — for example, between an alarm panel and its cloud monitoring server — without either party detecting the interception.

Local Area Network (LAN) Segmentation — The practice of placing IoT security devices on a separate network partition (often called a VLAN) isolated from primary computing devices, limiting lateral movement if one device is compromised.

Authentication and Access Control

Multi-Factor Authentication (MFA) — A login mechanism requiring two or more independent verification factors: something known (a password), something possessed (a one-time code from a mobile app), or something inherent (a biometric). The FTC Act Section 5 unfair practices standard has been applied in enforcement actions where vendors failed to implement reasonable authentication controls.

Default Credentials — Factory-set usernames and passwords shipped with devices. CISA has identified unchanged default credentials as a leading exploit vector in residential IoT compromises, documented in its Known Exploited Vulnerabilities Catalog.

Privilege Escalation — An attack that allows a user or process to gain access rights beyond those initially granted. On a home security panel, privilege escalation might allow an attacker with user-level access to modify alarm schedules or disable sensors entirely.

Data Protection

Encryption at Rest — Cryptographic protection applied to data stored on a device or server so that physical access to storage media does not expose readable content. Video footage stored locally on a DVR falls under this category.

Encryption in Transit — Protection applied to data as it moves across networks. TLS 1.2 and TLS 1.3 are the current baseline transport protocols; TLS 1.0 and 1.1 were deprecated by the Internet Engineering Task Force (IETF) in RFC 8996 in 2021.

End-to-End Encryption (E2EE) — A configuration in which data is encrypted at the originating device and decrypted only at the intended recipient, preventing the service provider's servers from accessing plaintext content. Not all residential security cloud platforms implement E2EE; many decrypt and re-encrypt at the server layer.

Vulnerability Management

CVE (Common Vulnerabilities and Exposures) — A publicly maintained catalog of disclosed security flaws, administered by MITRE under contract with CISA, accessible at cve.mitre.org. Each entry carries a CVSS (Common Vulnerability Scoring System) severity score between 0.0 and 10.0.

Firmware — Embedded software controlling hardware device behavior. Unpatched firmware is a persistent vulnerability class in residential security cameras and alarm panels; a 2022 analysis by FORESCOUT Technologies identified over 9.8 million connected cameras globally running firmware versions with known critical CVEs (Forescout Vedere Labs, OT:ICEFALL research series).

Patch — A software update that corrects a specific vulnerability or functional defect. Devices that do not support over-the-air (OTA) updates require physical access for patching, creating a practical gap between disclosure and remediation.

Zero-Day Vulnerability — A flaw unknown to the device manufacturer or not yet patched at the time of exploitation. Zero-day exploits targeting residential security cameras have been documented in CISA advisories, including ICS-CERT advisories published on the CISA ICS Advisories page.

Incident Response

Indicator of Compromise (IoC) — Observable evidence that a device or account may have been breached, such as unexpected outbound traffic, login attempts from unfamiliar IP addresses, or unauthorized configuration changes.

Forensic Preservation — The process of capturing device logs and network traffic records in a manner that maintains evidentiary integrity. Relevant to homeowners who report security system tampering to law enforcement.

Common scenarios

1. Default credential exploitation: An attacker scans residential IP ranges for open camera ports and authenticates using factory credentials that were never changed. This scenario accounts for the majority of residential camera breaches documented in CISA advisories.

2. Firmware downgrade attack: An adversary with local network access forces a device to revert to an older firmware version containing known, unpatched CVEs, bypassing security improvements introduced in later releases.

3. Cloud API abuse: A third party exploits a poorly authenticated mobile app API endpoint to retrieve live video streams or unlock smart locks. This threat class applies to the home security systems listings segment where cloud-dependent platforms are marketed as primary monitoring solutions.

4. Wi-Fi deauthentication: An attacker sends spoofed IEEE 802.11 deauthentication frames, forcing security cameras off the network without physically touching them — a technique that exploits a structural characteristic of the 802.11 protocol documented by the IEEE.

5. Credential stuffing: Breached username/password pairs from unrelated services are systematically tested against security system accounts. Users who reuse credentials across platforms are disproportionately exposed.

Decision boundaries

Understanding when a given term applies — and when it does not — determines how accurately a vulnerability is characterized and how appropriately a response is scoped.

Encryption vs. Authentication: These are distinct controls. A camera can transmit encrypted video (protecting data in transit) while using weak authentication (allowing unauthorized access to the encrypted stream). Encryption does not substitute for authentication; the NIST Cybersecurity Framework, version 2.0, treats them as separate function categories under Protect.

Vulnerability vs. Exploit: A vulnerability is a flaw; an exploit is the mechanism that leverages it. A CVE exists regardless of whether an active exploit has been observed in the wild. Patch urgency is typically calibrated to CVSS score and exploit availability, not CVE publication alone.

Local vs. Cloud-Dependent Risk: Systems that operate entirely on a local network without cloud dependencies have a different attack surface than systems requiring persistent cloud connectivity. This distinction is relevant to the scope and structure of this resource and affects how terms like MitM attacks and API abuse apply in practice.

Consumer vs. Professional-Grade Devices: UL Standard 2050 and UL 2900-2-3 (the standard for network-connectable security and life-safety systems) draw a regulatory boundary between devices designed for self-monitored consumer use and those deployed in professionally monitored installations. The latter carry additional cybersecurity testing requirements that affect how vulnerability disclosures and patch obligations are structured. Details on how these categories are represented in the service sector are covered in the how to use this resource page.

References

• NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
• NIST IR 8259A — IoT Device Cybersecurity Capability Core Baseline
• [NIST Cybersecurity Framework v2.0](https://www.n