Cyber Security Glossary

Adware is software is designed to display various pop-up advertisements on your computer or mobile device. It has the potential to become malicious and harm your device by slowing it down, hijacking your browser and installing viruses and/or spyware.

Advanced Endpoint Protection (AEP) is a cyber security counter measure that uses machine learning and other threat intelligence to deploy anti-virus, anti-malware, and anti-spyware software. Threats are detected and blocked based on anomalous behavior by the machine learning algorithm, which is trained to detect patterns in the log files and monitor the system for unusual activity.

Find out more: Endpoint Protection

Artificial Intelligence (AI) is a field of study that deals with the theory and development of artificial intelligence and its application in the creation of machines and software that can exhibit intelligent behavior. AI in cybersecurity will be an advanced form of machine learning that can train itself to act autonomously to identify and stop cyber threats resulting into a low-touch, high-impact security system.

Angler phishing is where fake social media accounts are set up which act under the pretense of customer support to extract personal information. Victims are lured in by being prompted to click a suspicious link that installs malware to your device.

Anti-malware software identifies, prevents, and removes malicious software using a scanner. It can detect known malware by comparing suspicious files against a database of previously identified malware signatures. Additionally, behavior based anti-malware software will check if a program looks suspicious and flag it to the user even if it doesn't match a known virus. People are often confused about the terms anti-virus and anti-malware, but generally, the products are the same and anti-malware is simply a more recent term.

Originally produced to protect PCs from malicious software, anti-virus has evolved from using one dimensional signature virus recognition to a multifaceted approach seen today in sophisticated scanning software, which uses predictive analytics, machine learning and AI capabilities.

Anti-virus software, also known as anti-malware, is a type of computer program which was initially designed to identify, prevent, and remove computer viruses. Modern anti-virus protects against a variety of malicious tools such as keyloggers, ransomware, rootkits, browser helper objects (BHOs) and trojans.

An asset is any data, device or other component of an organization’s systems that contains sensitive data or can be used to access such information. Tangible assets include smartphones, laptops, tablets and PCs, which are often connected to company networks, making them a target for cyber criminals. Virtual assets include databases, fileservers, email servers and third-party cloud storage systems.

Find out more: Asset Profile

Assets define your attack surface, therefore it’s essential to understand how they could become targets. An Asset Profile is a tool which maps threats directly to your unique list of hardware and operating systems, making it simple to gather, prioritize and action threat intelligence data.

Account takeover attacks are a type of cybercrime where the attacker gains control of an account by stealing login credentials, guessing passwords, or using social engineering to persuade the victim into revealing their sign in information.

An attack ‘signature’ is a set of characteristics and behaviors that help identify, detect, and defend against specific types of cyber-attacks and is commonly used by antivirus software to identify and isolate known viruses and malware. This enables security software to block attacks before they can cause any damage, by analyzing the patterns of attack and the protocols used to send alerts to the operating system.

The attack surface refers to the various points of entry where an unauthorized user may enter or extract data from an environment. Keeping the attack surface as small as possible is a security best practice that can help protect your data and systems from a cyber attack.

Automated cyber attacks are carried out by machines which are programmed to run without any human input and have become more common in recent years because they can be done faster and more efficiently than manual hacks. There is also less chance of being caught since the person who programmed the bot does not need to be present for it to work.

Backporting is the process of using recently updated software to modify older versions of the same software while maintaining program compatibility. It is normally done as a bug fix or to introduce security patches for software applications to work on older operating systems.

Badware is a type of malware that can steal user data, often displaying ads or other unwanted content on the victim’s browser. Badware is usually the result of an accidental download which installs a keylogger or other tool for sending user data to third party. The effects of badware on the victim's system vary, depending on the type of badware and how it was installed, however the most common effects are slow performance, pop-ups, and ads.

Baiting is a type of social engineering attack where scammers use a false pretence to lure a victim into a trap to either steal personal or business data, obtain financial information or introduce malware in your system.

Usually involves two emails where the first email is sent to gain the user’s trust that the email is from a reliable source. The follow up email contains a malicious link or attachment, with the goal of tricking the user into clicking the link or downloading the attachment because of trust gained from the initial email.

Barriers to entry in cybersecurity are the obstacles or hindrances put in place by a company that make it difficult to secure your business data and resources. Solving barriers to entry involves investing in cyber security training, ensuring that your organization follows best practice for password security, and regularly updating your operating systems and software.

A beacon refers to patterns in the communication between a server and the host and is often the result of legitimate network traffic. However, malware relies heavily on beaconing to get instructions from the server so recognizing unusual and repeated traffic can be an indicator of nefarious activity within the network.

Business Email Compromise (BEC) is a type of phishing scam where hackers use legitimate business email addresses, or close copies, to send fake emails to an internal finance department, requesting the transfer of funds to a fake account. This common attack is also used to steal data as part of a more in-depth cyber attack. Techniques used for BEC include spoofing, phishing, and malware. (See also, CEO Fraud)

Big data is a term to describe the increasingly large quantities of complex data that businesses generate daily. Managing, analyzing and getting insight from large volumes of data requires data analytics software, which can help to inform your cyber security strategy. Unfortunately, data is valuable to hackers too and handling large volumes of sensitive data can also mean that your business is at increased risk of attack.

Blacklisting is an access control process for preventing certain domains on a browser or search engine. It is configured inside many cyber security tools such as antivirus and intrusion detection systems and is mostly used for blocking spam email and malicious websites to avoid known viruses and malware from infecting machines linked to a network. (See also, Whitelisting)

A blended threat is a combination of two or more different types of malware, such as a worm and a Trojan horse. It is also sometimes called a hybrid threat. The term "blended" means that these types of malware are combined to form one complete virus, which can make it difficult for antivirus software to detect and remove it.

A blockchain is a growing list of records, called 'blocks,' which are linked using cryptography. The blockchain technology that powers cryptocurrency enables the exchange of value between two parties, without the need for a third party, such as a bank. The records in the blockchain are permanent, anonymous, and difficult to alter. Blockchains can be viewed publicly or privately, but both types are regulated by the same mechanism. Individual users can utilize a personal blockchain using software, such as wallets.

A blocklist is an access control mechanism that denies a list of items, such as email addresses, passwords, URLs, IP addresses or websites from being accessed. An example of a blocklist would be an email blocklist, that restricts emails being received from unknown or fraudulent email addresses, especially those that are known to be malicious.

A botnet is a group of computers that have been hacked and are controlled by a single user entity. Botnet victims are often unaware that their PC has been compromised, and is being used to send spam emails, mine crypto currency or send repeated requests to computers on another network as part of a distributed denial of service (DDoS) attack. (See also, Zombies)

A brute-force attack involves the hacker trying various combinations of username and password to gain access to a user account. The speed of modern computing means that thousands of combinations can be tried every second. By far the best way to secure user accounts against brute force attacks is to use strong unique passwords for every login.

Caching is the storing of data in temporary or permanent storage. The data can be retrieved later using a unique identifier, which is known as a cache key. The goal of caching is to reduce repetitive queries and improves efficiencies so that the data can be accessed faster.

CAPTCHAs are a type of challenge-response test that is used to determine whether the user is a human. They are often used to protect websites from bots, as well as to protect the privacy of users on sites. CAPTCHAs can be helpful for website owners and users by providing an extra layer of security against bots and spam, which can lead to more authentic interactions between humans and website owners.

Cloud access security brokers (CASB or ‘cas-bee’) are a type of software designed to protect cloud-based applications and data by controlling access to them. CASBs act as an intermediary between cloud applications and service users by providing security management features in the cloud.

CEO fraud is a type of social engineering attack which compromises the stolen credentials of the CEO or other senior member of a company to send spam emails to employees. Commonly a fake email is sent to the finance department of an organization requesting that a payment is made to a partner or supplier. The goal is to put the recipient under pressure by creating a sense of urgency that will encourage them to carry out bank transfers without prior checks. (See also, Business Email Compromise)

A Computer Emergency Response Team (CERT) is a computer security incident response team that provides technical assistance to victims of cyber-crime, identifies, and mitigates vulnerabilities, and improves cyber-security within organizations through education and awareness.

Ciphertext is text that is rendered unreadable by encryption using a cipher. The cipher converts the plaintext into a secret message. After encryption, the message can only be read by the intended recipients using a decryption key.

Clickjacking is when a user clicks on an invisible or disguised button or page element on a website that results in a malicious software download or other cyber attack designed by the hacker. Clickjacking sometimes involves placing an image over the top of a hidden element and then disguising the image as a page link that doesn't open.

Cloning is a type of phishing attack where the hacker creates a copy of a legitimate, previously delivered email which is sent from a fake address. It will appear to be from the original user, but the sender address will contain typos and other slight variations which give it away as being fake.

Cloud computing is a model for delivering on-demand and remote access to computing services, including networks, servers, storage, software, and applications. By hosting files and services over the internet, rather than on local hardware devices, cloud computing allows greater flexibility, scalability, speed and efficiency for users and businesses.

Cloud firewalls (sometimes called next gen firewalls or firewalls as a service FWaaS) protect the flow of data across networks from unauthorized access, screen traffic, and block any suspicious or malicious requests, much like a traditional firewall. However, because they are hosted in the cloud, they can protect the virtual online perimeters of cloud applications and services, as well as being deployable over internal networks.

A cloud native application protection platform CNAPP is a type of integrated security software that provides all round protection for applications and services running in the cloud. Popularized by Gartner as a solution for consolidating tools, CNAPPs are designed to bring together multiple disjointed security solutions into a single platform to improve visibility and tighten controls.

Continuous monitoring is a software-based approach to cyber security providing continuous protection against new and emerging threats, and faster detection of threats in the network. Continuous monitoring scans your network for any vulnerabilities, identifies changes in your environment, and then acts based on those findings.

Cross-Origin Resource Sharing (CORS) is a mechanism that allows resources to be requested from another domain outside of the one where the resource originated. CORS is a browser API that allows for cross-domain requests to be made. It has two parts: an API for making cross-domain requests and an API for handling responses from those requests.

Credential stuffing is a cyber attack where hackers will use stolen credentials, often obtained from a data breach or on the dark web, to gain unauthorised access to user accounts. Credential stuffing is a common attack vector used by cybercriminals as many users reuse their passwords across multiple accounts. It differs from a brute-force attack as hackers will use compromised credentials to distinguish which users are using the same login usernames and passwords across multiple accounts.

Cross-Site Scripting (XSS) is an attack whereby client-side scripts are compromised to include unauthorized data which can be leveraged to attack other users of your web application. XSS attacks include accessing sensitive application data, logging user keystrokes, or obtaining user passwords stored in the browser. When combined with other attacks, such as cross-site request forgery (CSRF), XSS can be used to perform privileged state-changing actions within the application, such as forcing a user to change their email address, potentially resulting in account compromise, denial of service or even information disclosure.

Cross-domain referrer leakage is a security vulnerability that occurs when a browser leaks the referrer for one domain to another domain. This can happen when a script on one website opens a URL in an iframe or object on another website, and can be used by hackers to steal information, such as user login credentials.

CRUD refers to four basic computer programming operations that can be performed on data kept in 'persistent storage' on a hard drive or in a relational database API, (such as one that remembers card payment details). In Cybersecurity 'create, read, update and delete' functions are required as a minimum standard when used in a persistent storage database.

Cryptocurrency is digital currency that is not regulated by a centralised bank, unlike traditional fiat currencies. Crypto currency uses cryptography to secure transactions and control the creation of new currency using distributed ledger technology on the blockchain. The process of mining for crypto currency such as bitcoin requires a high amount of computing power to solve increasingly complex cryptographic hash puzzles which produces new digital coins which are then added to the public ledger.

Crypto malware typically uses public-key cryptography to encrypt files on a victim's system with an asymmetric cryptographic key pair; one key is used for encryption, while another is used for decryption. The private key cannot be derived from the public key and vice versa; so, to decrypt files on your system you need access to the private key. There are many different types of crypto malware such as ransomware, worms, trojans, viruses, spyware, keyloggers, and adware.

Crypto mining involves using blockchain technology to solve complex mathematical equations to generate new bitcoins (or other forms of crypto currency mined on the blockchain). Due the huge amounts of CPU required to mine for digital currencies, hackers often use compromised machines to leverage any unused space on the central processing unit to generate new currency. (See also, Crypto Jacking)

Cryptojacking is the unauthorized use of a computer to mine for crypto currency, where a program is installed to run in the background without the user’s knowledge or consent. Machines that are being used to mine crypto currency may overheat or lag as power is drained from the central processing unit, however as the hackers need the computer to keep functioning, victims of crypto jacking may be unaware that their machines have been compromised. (See also, Crypto Mining)

A Computer Security Incident Response Team (CSIRT) is a group of cyber security professionals that identifies and mitigates vulnerabilities and improves cyber-security within organizations through education and awareness.

A Content Security Policy (CSP) is a set of instructions used in an HTTP response header that helps to protect against cross-site scripting and other content injection attacks. CSP headers define what sources are allowed to load scripts into a page, the types of scripts that are allowed, and how those scripts should be loaded.

Cross-site request forgery is a type of security vulnerability that allows attackers to send unauthorized requests to web applications. CSRF attacks are typically conducted through malicious links, advertisements, or JavaScript code that sends automated requests to the victim's web browser.

Continuous Threat Exposure Management (CTEM) is an ongoing, systematic approach for monitoring, assessing, and remediating vulnerabilities across an organisation’s attack surface to reduce security risks. It involves continuous evaluation of external points of entry, identification of vulnerabilities, and implementation of targeted remediation plans aligned with identified weaknesses to protect digital and physical assets.

The CVE (Common Exposure and Vulnerability) database is a publicly accessible repository of all discovered cyber security vulnerabilities. By identifying, defining, and cataloguing security vulnerabilities, the security industry has a common language to describe different cyber attacks.

CVSS or Common Vulnerability Scoring System is a standardized way of uniquely defining, comparing, and tracking cyber security threats and the associated risks. CVSS leverages automated processes to collect data from public resources such as security websites and active threat intelligence feeds to provide a clear picture of the threat landscape.

A cyber attack is where a threat actor attempts to access, disrupt, or destroy a remote system, or steal, destroy or alter data on that system. Cyber attacks vary wildly in form and severity, but they are all bad news for your business.

Cyber espionage is one of the most dangerous threats that organizations face. Cyber espionage can result in financial loss, reputational damage, and loss of business through data and IP theft, stolen trade secrets, or other confidential business information, such as financial records from within company computer systems.

Cyber security, computer security or IT security is the protection of computers, servers, applications, mobile devices, networks, cloud, and other online resources, from malicious attacks. Cyber security works to prevent unauthorised access, disclosure, theft or damage to information, hardware, or software, or the services that these helps provide.

A cyber security incident is when a person or party breaches a system's security policy to affect the integrity or availability of data. The unauthorized access or attempted access to a system, can open the possibility of sensitive data being stolen, systems being taken over, or ransomware being installed on a machine.

Cyber security mesh, as defined by Gartner, is “a composable and scalable approach to extending security controls, even to widely distributed assets. Its flexibility is especially suitable for increasingly modular approaches consistent with hybrid multi-cloud architectures. CSMA enables a more composable, flexible, and resilient security ecosystem. Rather than every security tool running in a silo, a cybersecurity mesh enables tools to interoperate through several supportive layers, such as consolidated policy management, security intelligence and identity fabric”.

A cyber threat, or cyber security threat, is a malicious act that threatens to steal, share, or compromise sensitive data, or to breach a computer network and disrupt its services or technology. Cyber security threats can occur because of an attempted cyber attack or data breach, and consist of a variety of attack vectors, including phishing, malware, and denial of service (DoS) attacks.

Dark web monitoring is the process of searching for, and tracking, your organization's information on the dark web. Monitoring tools allow you to search across dark web marketplaces and Tor hidden services. If your organization's information is found on these sites, dark web monitoring tools can provide intelligence on who is using the information, how it is being used, and the best way to act.

The 'deep web' is simply web-enabled resources that are not indexed by search engines. The dark web is also similarly unindexed, but typically requires special communication tools, such as the Tor browser, to access it. The dark web, as its name implies, is where illegal activity is carried out, and is where cyber criminals can sell data and orchestrate attacks.

A data breach occurs when data is exposed, altered, or destroyed, typically by threat actors, as the result of a successful hacking attempt. Sometimes data might be compromised accidentally from within a business or because of poor security, without the knowledge or authorization from the systems owner.

Find out more: Data Breach Blog

Data exfiltration in cyber security is related to the unauthorized movement of data to another location where it can be accessed by undisclosed third parties. Data exfiltration can occur when a system is breached or when attackers use tactics like social engineering or phishing to trick someone into giving them access to sensitive data.

Data mining is a process that extracts useful information from large amounts of data in a wide range of applications used for predictive modelling and decision making. Data mining analyses and extracts patterns from data and is used in cyber security as an early-warning system for fraud detection and to find security holes in networks.

A Distributed Denial of Service (DDoS) attack is when a network is flooded with traffic from multiple locations using remote machines (see also: Zombies/Botnets) to overwhelm the server and cause the target website to crash. During both a DoS and DDoS attack the server receives more data packets than it can process resulting in data corruption, delayed responses, or complete system shutdown.

Deepfakes are life-like animations of people generated by AI that are designed to be indistinguishable from the real thing. Under the control of a hacker, a deepfake could be used over a video call to give false instructions to a finance team to initiate a payment. Deepfake videos already exist, most notably in the form of celebrities and politicians giving statements that they, in truth, never made.

A dictionary attack is a type of brute-force attack where threat actors run through common words and phrases, such as those in a dictionary, to guess passwords. Credential stuffing is a type of dictionary attack. This is one of the reasons why having strong, unique passwords are so important.

Digital forensics is a branch of forensic science that analyzes digital media to detect, prevent, and responded to cyber attacks. It encompasses the legal process of gathering and examining evidence in a cyber investigation. By providing a well-defined process for analyzing data, digital forensics can be used to ensure that traceability, integrity, and credibility of evidence is maintained throughout the analytical process. Digital forensics can also be used to detect malware and viruses on devices, uncover deleted files, and search for crucial pieces of evidence as part of an investigation.

A DNS amplification attack is a type of DDoS attack which uses a Domain Name System (DNS) server to amplify the volume of traffic. A DNS server typically receives an average of 10-20 queries per second, but in a DNS amplification attack, the victim’s servers may receive up to 400 times that amount. The attacker will send forged requests to open recursive name servers using spoofed IP addresses, (the source address in the packet and the intended victim as its destination address). Open recursive name servers will respond to those requests with large amounts of data, which is sent back to the target, thus causing high volumes of data traffic on both sides.

A DNS tunneling attack uses the Domain Name System (DNS) protocol (meant for looking up IP addresses), to exfiltrate data via a command/control channel set up by the hacker. They do this by infecting a machine from behind a company firewall with malware and using it to send queries to the DNS resolver which are then routed back to the command control server, where a tunnelling program is installed.

The Domain Name System (DNS) is a directory of IP addresses that connect computers and other networked devices to the websites they want to reach. Considered the internet’s telephone directory, a DNS server will help users connect to websites by mapping hostnames, such as www.defense.com, to its correct IP addresses. Without a DNS or search engines, users would need to manually type in an IP address to access a website. DNS servers are a fundamental part of the internet, and this globally distributed system of servers is responsible for connecting millions of users across the world.

Denial or Service (DoS) attacks, also known as flooding attacks, are where a threat actor floods an online system (such as your website) with more traffic than it can handle, rendering it unavailable for normal users, for whom it will appear offline. Distributed Denial of Service (DDoS) attacks are the same, except carried out from multiple locations at once, through use of a botnet. Depending on the skill of the attacker, DDoS attacks can be hard to mitigate without expert help.

Doxing or doxxing is the act of publicly revealing private personal information about an individual or organization online. Open-source intelligence is often used in doxing to understand the target and how to expose them. Information gathered via open-source intelligence may include social profiles, domain names, interests, and contact information.

A drive by attack takes advantage of default mobile code execution on web browsers to install malicious software just by visiting a page. One of the most dangerous kinds of cyber attack, drive-by attacks require no interaction from the user, making them hard to detect. Simply visiting the malicious website is enough to automatically compromise your machine. 

Dumpster diving is the practice of searching through the trash of a business or individual to find information that may be useful to conduct a cyber attack or identity theft. Such information can include discarded sensitive documents including personal or login credentials, and data pulled from discarded hard drives and devices that was never deleted.

In cyber security, dwell time is the length of time a hacker can linger in your systems before being detected and dealt with. The longer the dwell time, the worse the outcome.

EAP is a protocol that allows an authenticator to verify the credentials of a supplicant in an automated fashion by using multiple authentication methods. It is used to permit the mutual authentication of the client and the server, while dynamically selecting and using one of many possible authentication mechanisms. EAP differs from other authentication protocols in that it requires its own 'round trip', as both sides must agree on the authentication mechanism being used, so no unauthorized person can hijack the connection.

Endpoint detection and response (EDR) is a security technology that manages risk by providing visibility on activity through monitoring all traffic in and out of endpoint devices. The goal of endpoint detection and response is to identify potential threats as soon as possible, react quickly, and stop the attack before it can cause any damage by sending alerts to administrators to control malware, ransomware, or other cyber threats.

The most common form of phishing is via email. Threat actors will pose as an authority figure, like a senior-level employee, and trick their targets into revealing sensitive information by clicking on a suspicious link or downloading a malicious attachment.

An endpoint is any type of computer or device that is connected to the network, like personal computers, laptops, tablets, and smartphones. If endpoints are not protected by security tools such as endpoint detection and response (EDR) software, they are vulnerable to cyber attacks.

Endpoint protection, previously known as anti-virus software, is a fundamental cyber security control for endpoints such as laptops, desktops and BYOD devices used in businesses. Modern endpoint protection systems often go beyond simple anti-virus and include advanced security features, as well as integrating with other solutions such as SIEM.

Find out more: Endpoint Protection

Enumeration is the process of establishing a connection with the target host to collect information on users, networks, and applications such as usernames, IP addresses and passwords. Hackers use different types of enumeration to establish a connection through a variety of applications and operating systems, such as SMTP enumeration to connect to a mail server or NetBIOS enumeration to gather information about endpoints on the network.

An endpoint protection platform (EPP) is a comprehensive security solution deployed on endpoint devices to protect against threats. An EPP solution combines the power of next-generation protection technologies with deep visibility into endpoints and the threat landscape.

An error log is a record of all critical errors a server or operating system has detected when active. Error logs can be very helpful when troubleshooting issues, because they provide specific details about the nature of the problem and the exact location where it occurred.

Event logging can be used to troubleshoot problems with the computer system, and records data about events happening on the system for diagnosing and resolving issues. Event logs contain information about hardware, software, and network connections, as well as user activity such as logins. Event logs can also be used to monitor user behavior by recording everything from clicks to keystrokes. This information can then be analyzed for patterns or anomalies to identify potential security breaches or misuse of resources by employees.

An “evil twin attack” is a type of cyberattack that works by setting up a fake Wi-Fi network with the same name as a legitimate network. When users connect to the network, they are in fact connecting to the attacker's device, which allows the attacker to 'eavesdrop' on all data being sent and received by users connected to the network.

An exploit is a piece of code that takes advantage of a vulnerability in an application or system. The exploit takes advantage of this weakness to achieve some goal, such as installing malware on a machine. A common misconception about exploits is that they are malware themselves. However, this is not the case. They are a way for cyber criminals to deliver and install malware on your computer.

Fileless malware attack does not require a file to be downloaded, as the threat is signature-less and leaves no digital footprint, it can't be detected by traditional antivirus. It works by taking advantage of known software vulnerabilities and is written directly into the RAM or system's memory.

File integrity monitoring detects changes in files and compares them against the original file to check for unauthorized changes. File integrity monitoring helps enterprises protect their data from accidental or malicious modifications. It also helps enterprises maintain the integrity of their data by preventing loss or corruption due to file changes.

A firewall can be either software or hardware designed to protect a network from unauthorized access. It monitors and controls incoming and outgoing traffic to make sure that only authorized data can pass through by analyzing each data ‘packet’ and deciding whether it should be allowed to pass, be blocked, or dropped from the system.

Flooding attacks, also known as Denial or Service (DoS) attacks, are where a threat actor floods an online system (such as your website) with more traffic than it can handle, rendering it unavailable for normal users, for whom it will appear offline.

A fork bomb is a type of denial-of-service attack that uses the Unix process-creation facilities to create processes. A single process may create two million processes before the system runs out of memory, and all processes combined will use about 11 megabytes. In a sense, a fork bomb turns the system into a sponge that soaks up all available resources to drain them an bring them down.

A hacker is someone who tries to gain access, manipulate, destroy, or otherwise interfere with systems they are not authorized to access. Hackers incorporate a wide variety of demographics, from teenagers trying simplistic attacks, to well-financed nation-state groups taking down a strategic target. They operate 24/7 all over the world and are an inevitable part of modern business operations.

Hacktivism (hacking + activism) or cyber-campaigning is where online activists, or hacktivists, use technology to expose, challenge and fix problems related to human rights, freedom of information, animal rights or the environment. The motive of hacktivism is not always for financial gain but rather to support a social, political, or religious cause. The term is often used interchangeably with 'digital activism' or 'cyber-campaigning'.

A ‘hash’ is a unique string of letters and numbers generated by a computer program and is used to protect sensitive data such as passwords online.

A Host-based Intrusion Detection System (HIDS) monitors and sends alerts if suspicious activity is detected on a single host such as a computer, server, or another endpoint device. Most HIDS deploy software known as an agent on the host that will monitor and report on activity such as network traffic for that specific host, file access, file modifications, configuration changes, running processes and events, application, and system logs. HIDS are typically installed on critical hosts such as servers that contain sensitive data or that are accessible to the public, but HIDS agents can be deployed on any single and are available for use on most servers and computers used by businesses.

A host-based intrusion prevention system (HIPS) is a software-based security application that is installed on a device and can be configured to watch for suspicious activity, such as an unauthorized installation, or to monitor for malicious code. The HIPS will then act when it detects the occurrence of these events, such as blocking or removing potentially harmful software.

Honeypots are a decoy computer system or server that are set up to snare hackers into believing they are a legitimate target. Honeypots are built deliberately with vulnerabilities to lure hackers into attacking them, so security teams can collate intelligence on how cybercriminals operate, from their methods of attack to the type of attacks they deploy.

A human firewall is a term which describes how security best practices within an organizational culture can result in employees actively taking part in the security framework. Companies can build a human firewall by adopting a ‘security first’ mindset, embedding security into policies and procedures, and training staff to become security aware.

Infrastructure as a service (IaaS) is the delivery of computer infrastructure in a way that offers on-demand self-service including access to storage, servers, networking, and other data center hardware. IaaS does not require any hardware to be purchased by the customer, and instead provides access to the physical infrastructure owned by the provider, allowing customers to use and manage virtualized resources in the cloud.

Identity management is a system for managing user access to an application or resource. Identity management is often centralized in a single system, such as an Active Directory, so that all users have the same authentication credentials. To maintain a secure environment, identity management must provide appropriate levels of authorization and authentication to every user who needs access.

A cyber incident response is how a business detects, analyses, responds and recovers from a cyber attack. The details of each of these steps will depend on the nature of the attack and of the affected systems. Effective cyber incident response relies on pre-prepared and tested plans that set out what needs to be done in a variety of situations to limit damage and expedite recovery.

Information security, or infosec, protects information by discovering, quantifying, assessing, and mitigating risks to corporate data. It differs from cyber security in that the primary concern is protecting the confidentiality, integrity, and availability of data. In cyber security, the primary concern is protecting unauthorized (electronic) access to the data.

Input validation is the process of checking user input for the presence of a pattern or rule to ensure that data is entered correctly and in the appropriate format and allow software to respond appropriately to bad user input to prevent malicious attacks. Common input validation techniques include string length limits, data type and range checks and integer checks.

Insider threats are people who have access to an organization's systems and information, but do not act in their best interest. The most susceptible insiders are those who are disgruntled or have a grudge against the company, or those who are seeking revenge for being fired or wrongfully terminated. Another category is people who want to make money of their access to the company's data, such as selling it on the black market.

Intrusion detection is system software which checks if an unauthorized person has tried to access a computer or network. Host-based intrusion detection is installed on computers or servers that are in danger of being accessed by unauthorized persons. Network intrusion detection monitors network traffic to detect if an unauthorized person has tried to access it.

An Intrusion Detection System (IDS) monitors a network for activities that might have malicious intent. By using signature-based detection and anomaly-based detection, unusual network activity can be detected, and an alert sent to an IT administrator. IDS is a passive intrusion detection system, and its purpose is to analyze, detect and alert, not to prevent a cyber threat. An Intrusion Prevention System (IPS] on the other hand, functions similarly but will attempt to block any threat.

Indicators of attack are the digital footprints left behind after a breach has occurred. Investigators generally receive this information after being notified of suspicious incidents or after being notified of unusual callouts from the network. This data can also be used to teach the software to detect and quarantine suspicious files in the future. (See also, Indicators of Compromise)

Indicators of compromise are red flags that security professionals look for to check if a system has been compromised. Common indicators include unusual traffic, a spike in privileged user account activity, and digital footprints left behind by hackers such as their IP address, or other clues that identify the source of the attack. (See also, Indicators of Attack)

The Internet of Things (IoT) is a network of internet connected physical devices can communicate with each other to store, exchange, and share information using embedded sensors. IoT enabled smart devices can send and receive data, monitor tasks and control other IoT devices remotely without user intervention. Applications of IoT are constantly growing, especially in manufacturing known as the Industrial Internet of Things (IIoT) and the Internet of Medical Things or (IoMT) in healthcare.

Internet protocol is one of several types of network protocol that form the building blocks of the internet. Internet protocol (IP) specifically identifies each individual device that is signed into a network through a unique number, known as an IP address. Unlike a home address, IP addresses can change because they are assigned by internet service providers based on where the network is accessed.

An intrusion prevention system (IPS) is security technology that is designed to detect and stop malicious attacks, by monitoring the network and computer activity (known as host based IPS). An IPS is like a firewall in that it protects networks from intrusion, or an unauthorized access, by identifying and blocking malicious traffic.

An incident response platform provides guidance, assistance, and incident response automation. Incident response services offer critical capabilities such as case management that supports analysts' workflow and enables security personnel to collaborate on incident response.

Keyloggers are software programs that capture and send information about a person’s keystrokes to third parties. They can be used to steal passwords, credit card numbers, and other personal data. Key logging software is installed without the user knowing through email attachments or malware downloads.

Log files contain information about the requests made to your website including the IP address of the visitor, the URL they requested, the status code, and how long it took for the server to respond. You can use log files to debug code and to analyze and uncover cyber-attacks. In the event of a breach, log files provide an important source of information on the number and types of requests made.

Log monitoring is the process by which an organization can collect and observe log data from various sources to detect malicious activity and take remedial action.

Find out more: Log Monitoring Log Monitoring Guide

Apache Log4J is an open-source logging library in Java, developed by Apache Software Foundation, that allows developers to monitor activity in their software and applications. Log4J is ubiquitous and is used in many systems and tools every day. It will generate logs for system administrators and DevOps that exposes errors or faults that would not otherwise be detected by an application.

Find out more: Log4j Vulnerability Advice

A logic bomb is a string of malicious code that is preinserted into a network, operating system, or application. The logic bomb is activated when certain conditions are met and can harm systems by deleting files, corrupting data, or erasing hard drives. The string of malicious code may be time/date sensitive (a time bomb) or deploy as a payload within a malware program under a particular set of circumstances.

Machine learning (ML) is a technology whereby algorithms can learn how to produce complex outputs based on statistical analysis of large or complex data sets. This analysis can greatly improve security defenses, such as SIEM, through use of enhanced correlations.

Macro viruses are a type of malware that infects Microsoft Office documents, such as .docx, .pptx, and .xlsx files. Macro viruses can also spread to other files with the same file extension and to other computers when an infected document is opened on a computer.

Malvertising is a type of online advertising that uses malware to infect a user’s computer with harmful software. These attacks are typically found on websites that have been compromised by hackers and they can be very difficult to detect. You can protect yourself from malvertising attacks by installing an ad-blocker, keeping your operating system up-to-date and not clicking on unknown links.

Malware (malicious software) is a catch-all term to describe software that has been designed for harming or destroying computer systems. Malware includes a wide range of programs with a variety of functions, all of which can compromise IT infrastructure. Preventing hackers from planting malware on your machine is the primary goal of many security technologies.

Managed SIEM (Security Information and Event Management) is an outsourced alternative to setting up and deploying a SIEM solution within a company infrastructure. Managed SIEM is hosted by the provider on their servers, which are configured with the organization's network activity and log data to create and manage alerts using an external team of security professionals.

Managed detection and response (MDR) are an outsourced solution that combines endpoint and extended detection and response to detect, analyze and respond to threats in real time. MDR provides an advanced layer of protection by analyzing security events, correlating data from multiple sources, and detecting new threats.

Find out more: MDR

Meterpreter from Metasploit, is a powerful weapon that can be exploited by threat actors to perform fileless attacks. It is designed specifically for use with the Metasploit Framework, which automates the process of finding, exploiting, and delivering malware to target hosts. It is designed to be easy to use while also being flexible and powerful.

A man-in-the-middle attack (MITM) occurs when a threat actor positions themselves between a user and an application, to eavesdrop or intercept communication, or to impersonate a legitimate participant. The result of a MITM attack includes stealing personal information, such as login credentials and/or payment card details.

An MSSP is a company that manages and monitors your IT security systems and assets, taking care of everything from analyzing your current IT environment, configuring security devices and systems and monitoring their performance, to making recommendations on how to improve efficiencies. The benefits of working with an MSSP can include reduced costs, improved security, and an overall improvement in the performance and availability of your IT assets.

Network Operations Centers (NOC) are facilities that monitor, control, and manage computer networks. They serve as your first line of defense against network disruptions and failures. A NOC is the central point of contact for network operators, who can use them to remotely diagnose and troubleshoot network problems. In cases of emergency or disaster recovery, a NOC provides round-the-clock remote monitoring and maintenance for data networks.

Packet sniffing is the process of capturing and analyzing data packets that are transmitted over a network. Packet sniffers are used for a variety of purposes, including network troubleshooting, intrusion detection, and data extraction. Packet sniffing can also be used by hackers to take advantage of missing security protocols in web page headers.

Password managers are software applications that store multiple login credentials in a secure system that is accessed by the user using a single master password. This saves the user recalling multiple logins to access online apps and services as password managers can autofill credentials, generate strong passwords for new accounts, and sync across different operating systems. Password managers use military-grade encryption to prevent them from being hacked.

Password spraying is a type of brute-force attack that attempts to access many accounts by using a list of default passwords. Password spraying is a volume-based approach, and the attacker will continue to ‘spray’ as many commonly used passwords at an account over a period to gain access.

Patching is a process of fixing system vulnerabilities and updating existing applications and software. Patching is a crucial stage in vulnerability management and helps to keep software up-to-date and functioning correctly. There are three common types of patches, including security patches, feature updates and bug fixes. Patch management ensures patches, or code changes, are applied in a timely manner to secure operating systems and software from being exploited by cybercriminals.

Phishing is a type of social engineering attack where a threat actor uses deception and psychology to manipulate the target via email. Their goal is usually to get them to click a link, open an attachment, or provide personal information under a pretence. Phishing is the most common cyber-attack, usually targeting employees working within the finance and HR departments of an organization.

Find out more: Phishing Simulator Phishing Blog

Quantum computing is an emerging field of computing that has been recently gaining momentum. It is based on the principles of quantum mechanics and uses quantum bits, (or qubits) to store information. Quantum computing has many advantages over traditional computing in that it is generally faster and more efficient, requires less power to function, and it can solve complex problems that surpass current computing capabilities.

Ransomware as a Service (RaaS) is where cyber criminals lease out ransomware programs on a subscription-based model to anyone looking for a way to make money online by extortion. Most RaaS programs use crypto malware which encrypts data on a target's device.

Ransomware is a specific type of malware that encrypts system files so that authorized owners may not access them. Victims are blackmailed into paying a ransom to retrieve the decryption key. However, there is no guarantee that hackers will return lost files even if a ransom is paid. The prevalence of ransomware attacks highlights the importance of strong frontline security, and regular, offline backups.

Find out more: Ransomware Top Tips

Risk assessment is the process of identifying, quantifying, and prioritizing cybersecurity risks, to understand the most significant vulnerabilities in an organization's IT infrastructure and rank them based on their likelihood of exploitation. A cybersecurity risk assessment helps an organization understand potential threats to its information technology infrastructure and can be carried out internally or by a third party.

Risk management in cybersecurity involves identifying and analyzing potential threats and vulnerabilities, the likely consequences of these threats occurring, and their potential impact. Once these factors have been determined, a threat can be prioritized based on its severity and likelihood of occurrence. An organization can then develop action plans for how to respond to potential threats, as well as implement preventative measures to mitigate these risks.

A Rootkit is a malware program that allows attackers to gain administrative access to computers, giving them the ability to change or steal data. A Rootkit is a type of IoT device that allows an attacker to control another device remotely. Rootkits can be installed on almost any device with a hard drive including laptops, desktops, and even servers.

Runbooks determine what happens in any given security situation. In the case of an MDR service, your security partner will have established, proven runbooks that outline prudent, effective steps to isolate, contain, eradicate, and recover from any potential security incident.

Software as a Service (SaaS) is used to describe a software product that is hosted by a third-party provider over a remote server. SaaS can significantly reduce IT costs and increase flexibility and scalability without any downtime or interruption of services. Software as a Service can also minimize the risk of data loss, although it is both the responsibility of the company and the vendor to ensure that data is kept secure.

The SANS Institute offers a variety of programs to help professionals in the cyber security industry. They offer courses on a range of topics, including malware analysis, penetration testing, ethical hacking, cybercrime investigations, digital forensics, and data privacy and security. SANS offers over 100 courses and provides certifications in many different cybersecurity related fields.

Scareware, or 'scamware', aims to scare you into downloading or buying fake anti-virus software, or visiting websites that try and force you to download/buy malware.

A script kiddie, also known as 'skid', is someone who uses scripts, exploits and programs written by more experienced hackers to attack computer systems and networks.

Security as a Service (SECaaS) allows companies to outsource their IT security needs to an external third party who can provide them with tools and software from a team of specialists at an affordable price. This is like using a software as a service (SaaS) platform with the addition of providing a certain number of hours of expert input from a remote security team.

Security awareness training programs are a crucial part of an organization’s security strategy, as they provide employees with the know-how to identify and avoid cyber threats. The goal of these programs is to make sure that employees are aware of potential security risks and how they can protect themselves from them, typically covering how to identify phishing emails and spot malware, and what actions to take if they suspect a security breach.

Find out more: Security Training

Security posture refers to an organization’s overall cybersecurity resilience against attacks. A business’s ability to detect and react to security events, and the controls and processes it has in place to protect it from threats will determine the strength of its security posture. A security posture will include everything from information security, penetration testing, vulnerability scanning, endpoint protection, network security, cyber security awareness training, vendor risk management to compliance.

Server monitoring provides visibility on requests made to hardware and cloud-based servers to ensure system functionality, detect and correct server errors, and to monitor requests for unusual activity which could indicate a cyber-attack. Server monitoring mainly tests for accessibility and response times and can use historical data to track performance and predict how the server is likely to perform in future.

Shadow IT is the IT infrastructure that is unknown to the IT Department. BYOD, legacy equipment, systems adopted through acquisitions, and cloud services procured by users are all types of shadow IT. Shadow IT, being unknown, has the potential to introduce significant security risks to your business.

Shoulder surfing, a type of social engineering, is when an individual looks over your shoulder to get information about you or your organization with the intention of carrying out a brute force cyber attack, or social engineering their way into the business via phishing emails.

SIEM stands for Security Information and Event Management and uses logs from your IT systems to detect suspicious behavior and vulnerabilities. Once a security threat or event is spotted, an alert is raised to signal that remediation is required. SIEM is a powerful cyber defense tool when implemented correctly, but it can be costly to procure, configure and manage to get value from your initial investment, without expert support. (See also, Managed SIEM)

Smishing (SMS + phishing) is when a hacker sends a phishing message via text to the target’s smartphone to trick them into giving away valuable information such as bank details and login credentials. Like phishing, smishing uses a sense of urgency to encourage users to act when they are likely to be distracted by other notifications on their phone and in their environment.

A SOC (Security Operations Centre) is a centralized hub that deals with all security-related activity within an organization, either staffed internally or outsourced to an external security provider (see also, SOCaaS). SOCs provide businesses with a centralized point to monitor and respond to any potential cyber incidents, responding to security alerts collected by SIEM security software.

SOC as a Service (SOCaaS) is a security operations center that is outsourced and run by an external team on behalf of an organization to monitor security, provide specific security services tailored to the needs of the business, provide 24/7 security monitoring, and contain threats. It is also sometimes referred to as ‘outsourced’ or ‘managed’ SOC.

Social engineering is a cyber attack which involves manipulating people into performing actions or revealing confidential information which can compromise security and lead to a data breach. Social engineering can be carried out by email, phone or in person and works by creating a sense of urgency or obligation which the target mistakes for genuine communication.

Spam email is a type of unsolicited email that is typically sent in bulk and is usually unwanted, uninteresting, or deceptive. Spam email can also be used to steal personal information or infect computers with malware, which can happen when people open malicious attachments or click on links in spam emails without knowing what they lead to. They may also contain links, hidden images, and scripts that can be used to steal personal information from the recipient's computer such as passwords and credit card numbers.

Spear phishing is a type of phishing attack that involves the use of highly targeted email to try and trick the targeted individual into revealing personal details or clicking on a link that takes to a fake website.

Spoofing generally refers to hackers faking identities across the web through a variety of means such as using fake emails, phone numbers, and websites. Spoofing can also refer to IP address spoofing (to disguise location), address resolution protocol (ARP) spoofing (to intercept data) and DNS spoofing (to redirect users to a fake website).

Spring4Shell is a critical vulnerability (CVSSv3 9.8) found by VMWare in March 2022 which targets Spring, Java’s most adopted framework. The Spring4Shell vulnerability enables threat actors to run any commands or code of their choice on a specific application server.

Spyware is a software that is installed on a device without the user's consent. It gathers information about the user and sends it to third parties without their knowledge. There are several types of spyware, but they usually fall into four categories: keyloggers, screen capturing tools, web beacons and cookies.

SQL injection (SQLi) is a type of attack that exploits a security vulnerability in the database layer of an application. An SQL injection attack occurs when a bad actor injects malicious SQL code into an application to view, control or extract information from a database. They do this by inserting their own code into the affected web page, which is then interpreted by the web server as it passes through to be processed by the backend database.

Tailgating is a type of social engineering attack with the goal of gaining access to a secured physical location. Threat actors may manipulate social conventions to achieve these aims, such as pretending to be someone waiting patiently for a door to open, pretending to have lost an RFID pass, or posing as maintenance staff or other visiting official to be let into the building.

Threat actor is a handy generic term for a hacker, cybercriminal or other person who tries to attack your business’ cyber defenses.

Threat hunting is where a trained security analyst proactively investigates your environment, such as your networks and logs, and uses their expertise and knowledge to find any suspicious activity that your endpoint failed to catch. When it comes to command-and-control activity, threat hunting is key.

Threat intelligence is information that a company will use to identify and understand cyber risks that are currently affecting their organization or pose future risk. Threat intelligence feeds are usually configured to present data from many different aspects of a business’ infrastructure, to detect and prevent cyber attacks before they happen.

Find out more: Threat Intelligence

Threat Management combines multiple security solutions as an all-in-one platform or service, essentially unifying all your security functions to protect against threats in a simplified manner. Rather than having to pay for and look after multiple security devices, Threat Management typically offers antivirus, next-generation firewall, web filtering and an intrusion prevention system (IPS) within a single threat dashboard.

Threat modeling is the analysis of the possible weaknesses in a system and how they can be exploited by attackers. This involves identifying all possible threats to a system and all its assets, and then identifying the likely attack vectors that could be used to exploit these weaknesses. Once the likely attack vectors have been identified, any appropriate defensive controls can be implemented to reduce the risk of successful attacks.

Threat Recon is a scanning tool which will check your web domain(s) and instantly see areas of your external attack profile that could become threats. This hidden threat data enables you to act on any cyber risks before they are exploited.

Find out more: Threat Recon

Transport Layer Security (TLS) is an improved version of the SSL protocol that provides communications privacy over the Internet by encrypting data sent between clients and servers. The TLS protocol encrypts all data sent over the internet including passwords, cookies, and banking information and guarantees that all data passed between two parties remains private.

Trickbot is a banking trojan that has been used to target customers of financial institutions and can steal login credentials. It is widely considered to be the successor to Dyreza, another credential stealing tool. The developers of Trickbot also incorporated worm like capabilities and the ability to harvest outlook credentials in 2017.

Trojans are malicious software that often get into a computer by masquerading as something safe and useful, like a game or an update. For example, a 'Trojan Horse' might look like a website offering legitimate software downloads, or a browser hijacker might come through as email attachment which redirects to a malicious URL when opened. Other trojans may infect your computer with ransomware or spyware, which can stay undetected in systems until the payload is deployed later.

Typosquatting is where threat actors will register a domain name very similar to a legitimate website, to trick people who accidentally misspell domain names when browsing the web. These trick websites can host malware, drive-by attacks, or emulate a legitimate website to gather people's login credentials and are often used as a part of a wider phishing campaign.

Unicode is a computing industry standard that provides a universal way of representing text in all languages by assigning code points to characters and their respective glyphs. Unicode can be used to make internationalization easier, for ease of processing by computers, and from a security point of view to make sure that no errors occur when displaying texts in different languages.

Unified threat management (UTM) is an umbrella term for a computer security system that protects your network from different types of threats. UTM systems are often used by businesses to provide protection against malware, spam, phishing, and other cybersecurity threats. They offer a comprehensive security suite that combines antivirus and anti-malware software with firewall capabilities and other features.

Vulnerability assessments (commonly called VA scans) use automated security scanning software that provide visibility into security loopholes and technical security flaws. They work by methodically scanning applications and infrastructure for known weaknesses (the CVE database) and create alerts based on their findings. VA scans are a cost effective and efficient method of staying on top of your threat landscape in between scoped penetration tests.

Find out more: VA Scans

Virus is essentially another term for malware, which can infect files and macros if systems to not run adequate antivirus software. Antivirus software needs to be updated regularly to protect against new and emerging threats and runs in the background to block threats identified by the software. If a computer starts running slowly, is unresponsive or repeatedly displays error messages then it might be infected with a virus which can destroy, change, and exfiltrate data.

Vishing is a form of social engineering like phishing, only instead of emails, it uses voice calls.

WannaCry was a global ransomware attack that took place in May 2017 and targeted a security flaw, EternalBlue, in Windows machines. By leveraging EternalBlue, WannaCry was able to successfully attack any devices that were left unpatched against the vulnerability.

Whaling is when authoritative individuals, such CEOs or senior-level employees are targeted with personalized messages based on data gathered from Facebook, LinkedIn, or other public websites. The purpose of whaling is to steal money or elicit sensitive information, such as credentials or personal information, that may give threat actors access to business accounts or access to unauthorized data.

Whitelisting is a technique that identifies and allows only specific programs to run on a system. This can be done by specifying the applications in a list, or by specifying the security zone in which they are allowed to operate. A whitelist tells the computer that any program on the list is allowed to run, while a blacklist tells it that programs listed are not allowed to run. (See also, Blacklist)

Wi-Fi uses wireless networks to connect internet enabled devices to the internet, and to each other, using radio waves. Devices within the hotspot area near the router can pick up Wi-Fi signals and connect to the internet without the use of cables. This is especially useful for accessing the internet in public places, although it does present its own set of security challenges, such as the risk of exposure to rogue Wi-Fi hotspots, or intercepted data.

A worm is a self-replicating computer program that can infect other computers by sending copies of itself to those systems over a network. They can also spread without any user interaction, which makes them an especially dangerous type of malware for networks to deal with.

Extended Detection and Response (XDR), as described by Gartner, is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

A zero-day (or 0-day) vulnerability is a technical security weakness in a product or service that is either undiscovered or yet unfixed by the vendor. A zero-day attack is where hackers exploit the vulnerability before the developer has patched the flaw, and a zero-day exploit involves using the vulnerability to attack the whole system.

A zombie is a computer that is connected to a network and that has been compromised by malware, such as a virus or Trojan so that it can infect multiple other machines linked to the same network. Zombie computers can be remote controlled by hackers making the origin of attacks by zombies difficult to trace. A zombie network is when multiple machines compromised by the same malware work together to bring down larger networks. (See also, Bot/Botnet)