Cybersecurity Glossary

All | # A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A
Advanced Persistent Threat (APT)
a network attack deployed by cybercriminals, or a bad actor, who have a high level of expertise and resources to infiltrate a network. They are able to gain access to a network and stay undetected for a long period of time. They usually use this type of attack to target large organizations seeking to retrieve economic or financial information. In some cases, they might even try to use this form of attack to stop or block a company’s program or agenda. Since an advanced persistent threat is executed over long periods of time, it is difficult to be detected and blocked by average users and requires a specialized security program or a team of experts to find a solution.
Adware
a type of software that delivers ads on your system. Most types of adware are not dangerous, but there is another dangerous form of adware that delivers spyware, which can track your activity and retrieve sensitive information. For this reason, users should not download an application from unsafe websites and should pay attention to bundled software. Less serious issues caused by adware can be system slow down or too multiple annoying popup ads that can fill your computer screen. Adware can also cause stability issues. To remove malicious adware or spyware from the system, check online for specialized tools like Malwarebytes or Spybot.
Angler Exploit Kit
exploit kits are tools used to implant malicious code, or malware, onto a target system. The Angler Exploit Kit is one of the most used exploit kits. It has been around since 2013 and has maintained its popularity among cyber criminals. In 2014 its use accounted for 17% of infected systems, in 2015 that number jumped to 40%. Angler is easy to use, with a user friendly interface, meaning even a novice user could execute an attack on a victim. It can be instructed to install malware, include the newly infected system into an existing botnet, or collect sensitive information. Angler mainly exploits vulnerabilities in outdated or unpatched software.
Anomaly-Based Detection
an Intrusion Detection System (IDS) uses either signature based, or anomaly based detection methods. Anomaly based detection creates a baseline of what is considered normal network behaviour for an organization. This baseline is documented as what is accepted behaviour. Any actions that happen outside of the baseline are considered abnormalities. The system defines whatÕs normal and what an anomaly based on rules instead of patterns. Defining the rules can be difficult as it takes time to analyse all of the protocols used within a network. Each protocol is analysed, defined and then tested. This type of IDS is notorious for identifying false positives. It also struggles with identifying any malicious behaviour that may still fall within the normal patterns of usage.
Anonymizing Proxy
also known as an anonymizer, is a process to hide your identity while online by hiding your IP address. A proxy server used to as an intermediary connection between your computer and the final cyber destination. Anonymizers are used to avoid detection, not just by cyber criminals, but also people who want privacy from targeted ads or marketing campaigns. They are also used in strict censorship environments to allow its users to freely access Internet content.
Anti-Malware
is software designed to protect your computer from malware, ransomware, Trojans, viruses, and other malicious software.
Anti-Spam
is software and techniques designed to prevent unsolicited email from infiltrating your inbox. Antispam software will scan incoming mail for certain keywords that are known to be associated with spam or phishing emails as well as email attachments for viruses and malware.
Anti-Spoofing
a technique used to counter a potential spoofing attack. Antispoofing techniques included creating rule sets on a firewall or router that will identify and drop network packets that are identified as having a false source address.
Anti-spyware Software
similar to antivirus software, antispyware scans your computer for spyware and removes it upon detection.
Anti-Virus Software
used to identify and remove any viruses on a computer system or network. Scans can be performed on demand or scheduled for certain times. Larger organizations may schedule scans to run after hours to avoid using precious system resources when most users or active and online.
Atmos
is a Trojan virus that is used to delete system files, modify registry settings, slow system performance and infect the system with popup ads. This virus also has the capability to steal personal information from the infected computer and sending the information back to the perpetrators.
Attack (online)
any type of malicious use of software or resources to try and steal information, cause a denial or service, or just create general havoc with a person or a company. Some online attacks are used just to embarrass or hurt a person or entity. This includes revenge porn sites, the releasing of the names of Ashley Madison subscribers, the release of emails from Sony and even the Democratic National convention.
Attack Signature
is the way information is arranged that can be used to identify an attackerÕs exploit attempt. When an organization uses an Intrusion Detection System (IDS) that is signature based, it identifies the data patterns in the signature to identify a potential attack.
Authentication
the process of identifying and verifying a user or process. Current cybersecurity trends suggest the use of multifactor authentication methods, which means using at least two types of methods. Some ways to authenticate a user is the use of something they have, something they know, and something they are. A user can have a security token, like the RSA random number generators. Something they know would be a user name and/or password. Something they are would make use of biometrics. Some ways to combine these methods is to have a user log in with a fingerprint as well as entering a pin number.
Autorun worm
is a virus that exploits the autorun feature of Windows machines, and is normally sent as an attachment. Once it is executed is can replicate itself and infiltrate the rest of the network. The autorun worm is used to take up memory and to steal space as well as steal personal information and send spam to other users.
B
Backdoor Trojan
malicious software used to open ports that allow a hacker to have remote access to the affected computer.
Backup
creating a copy or archive of data that can be used to restore a system after some type of disaster.
Baseline security
a set of basic security measures implemented on a system that represented the minimal security level
Blackhat hacker
a person who exploits system vulnerabilities in order to breach security. These individuals have nefarious intent and use their newly gained access to perform malicious acts or for personal gain. Black hat hackers are also called crackers. This may be a more accurate term as hackers build, and crackers break. Black hats break into computers and often destroy them with viruses.
Blacklisting
a type of access control that denies specific elements access to system or network resources. This could include emails addresses, certain user ids, URLs, IP addresses, domains, file types, etc. Blacklisting is the opposite of whitelisting which is a strict list of elements allowed to access a system or network. Blacklists can be implemented on a DNS or email server, firewall, web proxy or a host computer.
Blended Threat
a type of exploit that uses a combination of attacks against various vulnerabilities. Multiple attack vectors are employed to increase the severity of the attack and the subsequent damage. Conficker is one well known example. It may be called a just a virus, worm, or Trojan, but could be a blend of all three.
Boot Sector Malware
The boot sector is the portion of a computer that initiates the startup sequence. Boot sector malware takes the original boot sector, hides it somewhere on the hard drive and replaces it with a modified version. When the computer is started again after infection the malware is activated. Even if the boot up is unsuccessful, the virus can still spread. The infected code is copied to the floppy disk’s boot sector or the partition table on the hard drive. This type of malware is normally difficult to identify and remove, but it has lost popularity since the decline in boot floppy disk.
Bot
also known as an Internet Bot, Web Robot, or WWW robot, is an application that can automate tasks. A bot can be used to send texts, tell the time, ordering food, setting alarms, or searching the internet. Siri is an example of a bot. There are malicious uses of bots. They can contribute to coordinating a denialof service attack, and can be used to commit click fraud. There are spam bots that send large amounts of spam that often contain advertising links that could be malicious. It has been estimated that over 94 percent of websites have experienced a bot attack.
Botnet
a combination of the words robot and network, used to describe a group of malware infected, internet connected devices that are often used to perform a Distributed Denial of Service (DDoS) Attack, steal data, or send spam. The devices are controlled remotely using command and control (C&C) software.
Bring Your Own Device (BYOD)
an organizational practice allowing employees to use their own electronic devices at work, or for work purposes. There are specific variations that include BYOT (bring your own technology), BYOC (bring your own computer), BYOL (bring your own laptop), BYOA (bring your own apps), or BYOPC (bring your own PC). This type of practice increases the number of potential vulnerabilities within an organization.
Browser hijacking
when malicious software, sometimes called hijackware, is used to modify a web browser’s settings without any user interaction. The software injects advertisements into the user’s browser, redirects to unwanted URLs, changes the home page or adds bookmarks, often to pornographic sites, or generate popup ads and spyware. Browser hijacking software is often installed with freeware, and is often mentioned in the user agreement, though it is not called browser hijacking. This means users agree to the installation and subsequent consequences, though they may not realize it due to the low number of users that actually read the terms and conditions. Browser hijacker software is also installed as the result of infected file share or email or a drive-by download.
Brute Force Attack or brute force cracking
is an application that uses a trial and error method to crack passwords or Data Encryption Standard (DES) keys, by working through every possible combination of characters and sequences. Brute force is a time consuming approach.
Buffer Overflow
when a program writes more data to a buffer than it can hold it will overrun the bufferÕs boundary and subsequently overwrite adjacent memory locations. To avoid a buffer overflow programs should include sufficient bounds checking to discard excess data when too much is sent into the buffer.
Bug
an error or flaw in computer code, software, or system that will cause the program or system to act erratically, produce unexpected results, or completely crash. When programmers look for bugs in their code it is referred to as debugging. Once a product is released to the public bugs can still be found. This is when a patch is released to fix the program.
Bulk Encryption
protocols used to encrypt and decrypt data. This encryption protects data in transit from compromise or theft protecting the integrity and confidentiality.
Business Impact Analysis (BIA)
examines the potential impacts to business after a disruption and develops strategies that will aid in recovery. During the BIA a risk assessment is performed to identify potential vulnerabilities, critical business processes are identified as well as the fastest ways to get the critical processes back online.
C
Cache
temporary storage of data to allow for future access to the data at faster speeds. This applies to a web browser or CPU cache. The cache can be created from an earlier computation or duplicated from data stored elsewhere. When a user navigates to a URL that requires login information, this data can be cached in the web browser so the next time the user navigates to that site, that information can be populated into the appropriate fields quickly.
Cache Cramming
a technique used to trick a computer into running malicious Java code from the computer’s local disk cache instead of the Internet. The malicious code is an applet that acts as a port scanner and is executed once the user navigates to a particular site designed by the bad actor.
Catfishing
is when a person uses available photos online to create a fake social media profile and uses it to lure someone into believing they are someone other than who they really are. Catfishing can be performed just to generate ongoing conversation with no other agenda, though it is often used to trick unsuspecting or naive victims into giving the impersonator large sums of money. The perpetrator normally uses the hope of a romantic relationship to coerce their victims. They find clever ways to avoid ever meeting the person face to face.
Chargeware
a form of malware used to manipulate victims into agreeing to unclear terms or the opportunity to provide informed consent, related to an offered service. This type of malware is often associated with porn.
Chief Information Officer (CIO)
a senior level company executive who is responsible for the entire information technology implementation, use, and management of their organization. They are normally responsible for system design, analysing how technologies will benefit a company, and managing system infrastructure.
Chief Information Security Officer (CISO)
or the CSO, Chief Security Officer, is a senior-level executive responsible for the overarching cybersecurity department of an organization. They ensure the company’s technologies and assets are protected from threats.
Citadel
A Trojan based off of the released Zeus source code. This malware is used to create a botnet and targets banking information, or stored credentials in password managers like Keeass or nexus. The Trojan can also launch other malware types to include ransomware or scareware making it an advanced toolkit.
Code Injection
normally made possible due to lack of stringent input/output data validation, it is an attack that injects code to change the way a program normally executes. It is often used to spread malicious code into legitimate websites.
Command and Control Center (C&C)
is a network of servers used to control a large number of compromised systems, normally a botnet. The C&C servers issue commands to the members of the botnet, normally referred to as zombies. These zombies are used to gather sensitive date like financial information or login credentials or to create a Distributed Denial of Service (DDoS) attack.
Computer Abuse
unethical use of a computer system to do immoral, improper or illegal attacks. This includes launching online attacks, generating and distributing phishing and malware campaigns, stealing or making unauthorized changes to data or gain unauthorized accesses.
Computer Forensics
a legal technique for gathering and preserving digital evidence that can be presentable in a court of law. The goal is to gather information during an investigation, but maintain a proper and well documented chain of evidence. The computer forensics technician is using this information to investigate what an electronic device was used for and who was responsible.
Computer Incident Response Team (CIRT)
the group responsible for handling and investigating computer security breaches.
Confidentiality
the first letter in the CIA triad, confidentiality is the act of keeping information protected from unauthorized disclosure.
Cookie
used by websites to track your usage. It is a type of file record text file that tracks how you used a site, what you viewed, your preferences, even your shopping cart history. Cookies can be helpful as they can increase the website speed when you visit the same site again. They can also introduce a vulnerability as they contain potentially sensitive information.
CoreBOT
is a infostealer Trojan that was designed to collect and steal information from an affected computer. In time, the Trojan evoled and added more capabilities to include browser injections, realtime form grabbing, Maninthemiddle attacks, etc. It can be embedded with other types of malware to create a complex cyber attack. It is similar to the Dyreza and Neverquest exploits.
Crimeware
any malicious software used to facilitate online illegal activity. Phishing kits that are sold online to give those with minimal technical skills, the ability to launch a phishing campaign is one example of crimeware. Spyware, keyloggers and brower hijackers can all be considered crimeware as well.
Cross Site Scripting (XSS)
an injection attack used against a web application that accepts input. A web application that does not properly separate data from executable code is susceptible to this type of attack. Browsers can’t differentiate between valid markup and malicious markup. Whatever text is input is accepted. XSS allows criminals to inject client-side scripts into pages.
CryptoLocker
a type of ransomware that emerged in 2013. Its objective is to infect Microsoft Windows PCs. CryptoLocker is normally distributed through malicious email attachments. A botnet is used to launch the attack. Once activated, it encrypts the data stored on the device as well as any cloud storage accounts. Then a message is displayed giving the victim information on how to pay the ransom to get the decryption key.
CryptoWall
a type of ransomware Trojan that is a CryptoLocker variant. A datastealing ransomware, that mainly spreads through phishing and spam campaigns. The email invites users to click a malicious link or download. CryptoWall code is also included in malicious websites ads. Once executed it encrypts all the data on the newly infected PC and any other PC on the same network. The victim is then prompted to pay the ransom in bitcoins so they can get the decryption key and regain access to their data. CryptoWall is on its fourth iteration and there is reason to believe this won’t be the last.
CSO
is the acronym for Chief Security Officer. This is a top-level executive responsible for ensuring the security of an organization’s human, financial, physical and digital assets. Their responsibility is to align both the cyber and business goals.
CTB Locker
the CurveTorBitcoin Locker is a type of fileencrypting ransomware that emerged in 2014. CTB Locker is delivered through aggressive spam campaigns and achieved a very high infection rates based on its capabilities and multilingual adaptations, and it employed an affiliate model to recruit malicious actors that could spread the infection further in return for a percentage of the profits. The curve refers to its persistent cryptography is based on elliptic curves, which encrypts the affected files with a unique RSA key. Tor represents the malicious server placed in the oniondomain. Bitcoin refers to the suggestion to pay the ransom in Bitcoins, avoiding normal payment systems that can lead back to the criminals.
Cyber Attack
Also called a cybercampaign, cyberwarfare, cyberterrorism or online attack. It is any malicious action performed by an individual or group that targets computers, networks, or information systems. It includes the deployment of malicious code for the purpose of stealing or altering data. In recent years, online attacks have become more and more sophisticated and law enforcement agencies are having a hard time keeping up with this global menace.
Cyber Incident
any violation of an organizations security policy. Or an attempt to gain unauthorized access to a system or network. A threat or event to disrupt or impair the confidentiality, integrity or availability of data, information systems or networks.
Cyber Weapon
software used for military, or intelligence purposes. It performs actions that were previously executed by a soldier, spy or other human agent.
Cybersecurity
technologies, process, practices, and policies created and enforced to protect computers, programs, networks or data from damage, exfiltration, unauthorized access or attack. Cyber security deals with the logical protections as well as the physical ones. Elements included are operational, informational and network security, cybersecurity awareness training, and Disaster recovery/business continuity planning.
D
Data Asset
a piece of information that contains valuable information, often financial. It could be a database, document or any type of record that is managed as a single entity. The information is directly connected to the number of people that have access to that data and for this reason it needs to be protected accordingly.
Data Integrity
is the assurance that digital information has been protected from being altered in any way.
Data Leakage
the unauthorized release of sensitive or classified information from a protected system to an external entity or person.
Data Loss
a process in which information is destroyed. It could happen due to failure or neglect in transmission, or malicious acts performed by cybercriminals. To prevent data loss, IT teams should implement backup and recovery procedures.
Data Theft
the act of stealing digital information. The intent is normally to compromise a victim’s privacy or obtaining confidential or sensitive information. This is a growing concern for both individuals as well as large corporations.
Denial-of-Service Attack (DoS)
When a bad actor disrupts access to system or network resources by legitimate users. This type of attack is often carried out by a botnet sending a flood of messages or malformed packets to force the target system to slow down or crash.
Dialer
a spyware device or program that is used to maliciously redirect online communication. It disconnects the legitimate phone connection and reconnects to a premium rate number, which results in the user receiving an expensive phone.
Digital Signature
a technique used to validate the integrity and authenticity of a message, software package, or other digital content. Based on public key cryptography where two keys (public and private) are generated. A oneway hash of the electronic data is created, and the private key is used to encrypt the hash. The encrypted hash along with the hashing algorithm is the digital signature. A digital signature is difficult for a hacker to duplicate, which makes it important in information security.
Disaster Recovery Plan (DRP)
the documented approach on how to handle potential loss due to an attack against a computer system or IT infrastructure or a software failure. It provides stepbystep procedures on how to recover the mission critical functions after a disaster. A recovery plan should be developed during the business impact analysis process and should establish the recovery time objective (RTO) and recovery point objective (RPO).
DNS Cache Poisoning
is used to corrupt a domain name system (DNS) server by modifying the table so a legitimate address is replaced by a malicious one. This will redirect a user’s URL request with the malicious one. This opens the user to the risk of being infected with a worm, spyware hijacking program or other form of malware.
DNS Hijacking
also referred to as DNS redirection, is an online attack that overrides a computer’s TCP/IP settings to direct communication to a malicious server controlled by cybercriminals.
Document malware
takes advantage of vulnerabilities in applications that let users read or edit documents.
Domain Generation Algorithm (DGA)
a computer program used by various malware families to create slightly different variations of a certain domain name. The generated domains are used to hide traffic transmitted between the infected machines/networks and the command and control servers. This way, cyber criminals can cover their tracks and keep their anonymity from law enforcement and private cyber security organizations. DGA domains are heavily used to hide botnets and the attacks they help launch.
Domain Shadowing
a malicious tactic used by cyber criminals to build their infrastructure and launch attacks while remaining undetected. First, attackers steal and gather credentials for domain accounts. Using these stolen credentials, they log into the domain account and create subdomains which redirect traffic towards malicious servers, without the domain owner having any knowledge of this. Domain shadowing allows cyber attackers to bypass reputationbased filters and pass their malicious traffic as safe.
Dormant Code
Modern, advanced malware often has modular structure, including multiple components. One of them is dormant code, which means that the malware needs specific triggers to execute the task is was created for. This type of behavior is coded into the malware so it can bypass signature-based detection products such as traditional antivirus and anti-malware solutions. Another reason for using dormant code, advanced malware, such as ransomware or financial malware, usually rely on extern infrastructure to download components for infection, the malware can remain dormant and undetected if it can’t reach its Control and Command servers to execute further.
Dridex
a strain of financial malware that uses Microsoft Office macros to infect information systems. Dridex is engineered to collect and steal banking credentials and other types of personal or sensitive information. Its fundamental objective is to commit banking fraud.
Drive-By Attack
is the unintentional download of a virus, malware or other malicious software onto a system. A drive-by attack will usually take advantage of, or exploit, a browser, app, or operating system that is out of date and has a security flaw.
Due diligence
compels organizations to develop and deploy a cyber security plan to prevent fraud, abuse. It also encourages organization to deploy safeguards and countermeasures to detect them if they occur. This will help to maintain the confidentiality and safety of business data.
Dumpster diving
an illegal method used to obtaining passwords and corporate directories by searching through discarded media. Just as it sounds it normally includes diving into a publicly assessable dumpster looking for personal or sensitive data.
Dyreza/Dyre
Also called Dyre, is a banking Trojan or financial malware that first appeared in 2014. Its behavior is similar to the ZeuS family, although there is no connection between Dyreza and ZeuS. The malware hides in popular web browsers that millions of users employ to access the web and aims to retrieve sensitive financial information every time the victim connects to a banking website. Dyreza is capable of keylogging, circumventing SSL mechanisms and twofactor authentication, and is usually spread through phishing emails.
E
Eavesdropping Attack
a type of man in the middle attack where an unauthorized person intercepts communications between two people.
Email malware distribution
using email as a means to distribute malware to potential victims. This could be using an attachment or embedding malicious links.
Encrypted Network
the application of crypto services at the network layer. Data is encrypted while in transit. The encryption is implemented through the use of IPSec (Internet Protocol Security). Both encrypted and unencrypted packets appear the same and easily travel through the network.
Encryption
using cryptographic measures to transform plaintext into unintelligible code.
End-to-End Encryption
E2EE is a secure communication method that uses encryption on the sender’s system and only the recipient can decrypt the data. Not even the ISP can read the data. This decreases the risk to a man-in-the-middle attack. E2EE uses public key encryption.
End-to-End Security
making use of available security protocols to ensure transmitted data is protected from interception, data spillage, exfiltration, or alteration. E2EE is a type of EndtoEnd security.
Enterprise Risk Management
identifying potential risk and vulnerabilities specific to an organization in order to create plans and policies to help counter the potential risks
Exploit
Exploit Kit
a type of tool used to create malware that is used to either scan the desired system for vulnerabilities, exploit the vulnerabilities and execute malicious code onto the target system. Many exploit kits are used to exploit vulnerabilities in web browsers and redirect victims to a harmful website. Exploit kits are known for delivering very sophisticated malware and going undetected. Even with antivirus software running they still often avoid detection.
Exploit Kits-as-a-Service
Are a relatively recent business model employed by cyber criminals in which they create, manage, sell or rent exploit kits which are accessible and easy to use in cyber attacks. They donÕt require much technical expertise to use, are cheaper, especially if rented, are flexible, can be packed with different types of malware, offer broader reach, are usually difficult to detect and can be used to exploit a wide range of vulnerabilities. This business model makes it very profitable for exploit kit makers to sell their malicious code and increase their revenues.
External Security Testing
Security testing conducted from an outside organization. This type of testing is often required to pass certain regulations and auditing requirements. It can also be helpful to use an outside organization as they don’t know the structure of the organization as intimately as an internal team could. This gives them some objectivity, and could place them in the mindset to think like a hacker, instead of an employee.
F
Fail Safe
A FailSafe security system or device is an automatic protection system that intervenes when a hardware or software failure is detected.
Fake Antivirus Malware
Rogue antivirus or rogue security is a form of computer malware that simulates a system infection that needs to be removed. The users are asked for money in return for removal of malware, but it is nothing but a form of ransomware.
False Positive
is identified when a security solution detects a potential cyber threat which is, in fact, a harmless piece of software or a benign software behavior. For example, antivirus could inform the user there’s a malware threat on the PC, but it could also happen that the program it’s blocking is safe.
File Binder
applications used by online criminals to connect multiple files together in one executable that can be used in launching malware attacks.
Fileless malware
types of malicious code used in cyber attacks that don’t use files to launch the attack and carry on the infection on the affected device or network. The infection is run in the RAM memory of the device, so traditional antivirus and anti-malware solutions can’t detect it at all. Malicious hackers use file less malware to achieve stealth, privilege escalation, to gather sensitive information and achieve persistence in the system, so the malware infection can continue to carry on its effect for a longer period of time.
Financial malware
specialized malicious software designed to harvest financial information and use it to extract money from victims’ accounts. It is a new type of malware, that is also very sophisticated and can easily bypass traditional security measures, such as antivirus. Financial malware is capable of persisting in the affected system for a long time, until it gathers the information associated with financial transactions. It can also start to leak money from the targeted account. Banking fraud cyber crimes are one of the most serious cyber threats in the current risk landscape.
Firewall
a piece of architecture within a network security system designed to prevent unauthorized access to public or private networks. Its purpose is to control incoming and outgoing communication based on a set of rules.
Flip Button
In the malware world, a flip button appears when spyware or adware solutions trick users into following various actions and installing malicious software on the system.
Flooding
a security attack used by hackers against a number of servers or web locations. Flooding is the process of sending a large amount of information to such a location in order to block its processing power and stop its proper operation.
Forensic Specialist
in IT security is a professional who identifies and analyzes online traffic and data transfer in order to reach a conclusion based on the discovered information.
FormGrabbing Malware
Can harvest your confidential data when you’re filling in a web form, before the data is sent over the Internet, to a secure server. By doing this, the malware can avoid the security ensured by an HTTPS connection. Unfortunately, using a virtual keyboard, autofill or copy/paste won’t protect you from this threat. The malware can categorize data according to type (username, password, etc.) and even grab the URL where the user input information.
G
Greyhat hacker
is a mix of both a white hat and black hat hacker. This type of hacker may violate laws or disregard ethical standards, but does not have the same level of malicious intent as a typical black hat hacker.
H
Hacker
also called a pen tester, is a skilled computer expert or programmer that uses their skillset to overcome issues. A hacker can also use their skills to also exploit vulnerabilities in a computer system. Also, possibly more accurately called a cracker, a person who manages to gain unauthorized access to a computer system in order to cause damage. But keep in mind that there are two types of hackers: whitehat hackers, who do penetration testing and reveal their results to help create more secure systems and software, and blackhat hackers, who use their skills for malicious purposes.
Hacktivism
hackers who employ hacking techniques to support social causes or to fight for justice.
Heartbleed Vulnerability
A security bug that first appeared in 2014, which exposed information that was usually protected by SSL/TLS encryption. Due to a vulnerability that affected the OpenSSL library, attackers could steal data that was kept confidential by a type of encryption used to secure the Internet. This bug caused around 500,000 web servers (17% of all severs on the Internet) to be exposed to potential data theft.
Hoax
a false computer virus warning. You may receive such hoaxes via email, instant messaging or social media. Before acting on it, be sure to go online and check the validity of the claim. Also, when you have proof that it’s fake, it’s a good idea to inform the sender as well. Remember that such hoaxes can lead to malicious websites which can infect your devices with malware.
Honeymonkey
This is an automated system designed to simulate the actions of a user who’s browsing websites on the Internet. The purpose of the system is to identify malicious websites that try to exploit vulnerabilities that the browser might have. Another name for this is Honey Client.
Honeypot
A program used for security purposes which is able to simulate one or more network services that look like a computer’s ports. When an attacker tries to infiltrate, the honeypot will make the target system appear vulnerable. In the background, it will log access attempts to the ports, which can even include data like the attacker’s keystrokes. The data collected by a honeypot can then be used to anticipate incoming attacks and improve security in companies.
HTTPS Scanning
Another name for a Man-in-the-Middle attack. Scanning HTTPS (Hypertext Transfer Protocol Secure) content allows the attackers to decrypt, analyze, and re-encrypt content between websites that use SSL (Secure Sockets Layer) for security and a user’s browser. This type of attack is usually used to snoop in on information exchanges and steal confidential data.
Hybrid Attack
Combines the characteristics of multiple types of attacks to potentially increase the severity of the attack or to work faster. One example is to make a dictionary attack, which is used to crack passwords, even stronger by adding numerals and symbols, so credentials can be hacked even faster.
I
Inadvertent Disclosure
Accidental spillage of information to unauthorized persons. This could be classified information, sensitive data, company or trade secrets, research, or correspondence between individuals.
Incremental Backups
this type of backup only captures the files that have been altered since the last full backup. A full backup captures the entire system structure. An incremental backup is useful if an organization needs to save time and storage space, but also needs to keep their backups up to date. With this type of backup there is a slower recovery rate and a risk of data loss.
Information Assurance (IA)
a term first used by the government to describe the practice of enforcing technical and managerial measures to ensure the confidentiality, integrity, and availability of data. With the switch to the Risk Management Framework in the government sector, the term IA has given way to the term cybersecurity.
Information Flow Control
mechanisms put in place to ensure policies related to how data is shared and transferred are adhered to. The point of information flow control is to ensure data transfers are safe and secure and avoid the potential threat of data spillage or exfiltration.
Information Security
processes and policies used to prevent unauthorized disclosure or destruction of information.
Information Security Policy
the directives, policies, procedures, and practices put in place by an organization to protect their information from unauthorized disclosure.
Information Security Risk
the potential of an unauthorized disclosure of protected information.
Information System Resilience
the ability of a system to continue functioning even after or during a cyber attack. It also measures the ability of a system to bounce back to its original state of functioning after being degraded or weakened from an attack. Systems that not only implement good cyber hygiene practices, enforce stringent network security but also perform consistent backups, will be able to regain full operational functionality and recover faster from an attack.
Information Systems Security (INFOSEC)
the processes and methodologies used in protecting data, and data systems from unauthorized access or attempts. INFOSEC is used to ensure the confidentiality, integrity and availability of an information system.
Inside Threat
the potential threat associated with the employees, former employees or vendors of an organization who have access to the company’s sensitive data. If their loyalties shifted or they become disgruntled, they have bypassed all of the external controls to protect data from unauthorized disclosure, meaning they have the potential to cause more damage due to them knowing the organization’s security practices.
Integrity
the security principle or technique that ensures data has not been changed or altered in anyway whether intentional or unintentional.
Intellectual Property (IP)
Proprietary, intangible assets, normally considered sensitive. Also, the useful artistic, technical or industrial information, concepts, ideas or knowledge that clearly show that they’re owned by someone who has control over them, either in physical form or in representation.
Internal Security Testing
a type of testing is conducted from inside an organization, to examine the resilience and strength of a company’s security perimeter and defenses.
Internet Worm
Created by researchers in the 1980s to find a reliable way of growing the Internet through self-replicating programs that can distribute themselves automatically through the network. An Internet worm distributes itself across the web by using the computers’ Internet connection to reproduce.
Intrusion
The successful attempt to gain unauthorized access to an asset by a bad actor.
Intrusion Detection Systems (IDS)
A security management system set up to actively protect computer and networks. It works by analyzing information from various areas of a computer/network o spot potential security breaches. These breaches can be either caused by intrusions (external attacks) and misuse (insider attacks).
IP Flood
A type of Denial of Service attack which aims to send a host an avalanche of pings (echo request packages) that the protocol implementation cannot manage. This causes a system to fail and send a denial of service error.
IP Spoofing
A tactic used by cyber criminals to supply a false IP address that masquerades a legitimate IP. This helps the attacker gain an unfair advantage and trick the user or a cyber security solution that’s in place.
K
Keylogging
Surveillance software used to capture every key stroke entered by a user, and store them in a log file. Keylogging software can be used by employers to track employees and ensure they are using company resources strictly for work purposes, Parents can use key loggers to track their children’s online activities in an effort to keep them safe. Keyloggers can also be embedded in viruses and malware.
Kovter
A Trojan, that used scareware tactics to trip users into clicking malicious links. It has been used in clickfraud, malvertising campaigns, and most recently as a malware installation tool.
L
Level of Concern
The rating which indicates which protection tactics and processes should be applied to an information system to keep it safe and operating at an optimum level. A level of concern can be basic, medium or high.
Likelihood of Occurrence
The probability of a vulnerability being exploited. This information is normally included in an organization’s Risk Management Plan. Both the probability of the risk event occurring as well as the estimate of the potential impact or damage if the event occurred.
Locky
Ransomware that is delivered by email containing what appears to be a legitimate invoice, but is actually a Microsoft word document that contains malicious macros. It is a 32bit windows executable packed in a crypter/droper, that once the dropped copy is launched it is renamed svchost.exe and begins encrypting files. This ransomware campaign has been associated with the Dridex cyber criminal organization.
Logic Bomb
code intentionally inserted into software, that is triggered to perform a malicious function once certain, pre defined conditions are met. This is a security concern that should be considered when a programmer or security professional is fired from a company. They could insert a piece of code into the system that could delete important files once their accesses are removed from the active directory.
Low Impact
a security item, to include vulnerabilities or cyber threats, that, if exploited, would cause minimal loss, or have minor impact to the confidentiality, integrity or availability to the information system. This would include the potential damage to the company’s financials, reputation, ability to function or harm to its people.
M
Macro Virus
A virus that uses macro programming options within a document application, such as Microsoft word or excel, to execute malicious code. It causes a sequence of actions to be performed automatically when the application is started. They are often harmless, in comparison to the impact of other virus types. These viruses normally inject some text into a document while the user is writing. One well known example is the Melissa virus.
Malicious Applet
An applet is a small application that performs a specific task within a larger program. One of the most used are Java applets that are used to place items on a web page. A malicious applet is a small application programs that automatically downloads and executes and performs an unauthorized function. It can capture keystrokes, compromise the user’s privacy and steal system resources. Web browsers should monitor applet activities to avoid the threat.
Malicious Code
Any code that is written to cause undesired effects, or harm to a system. Viruses, worms, Trojans, spyware, adware, ransomware, rootkits, etc., are all examples of malicious code.
Malvertisement
Malicious advertising that is used to spread malware. It is the act of injecting malicious code into an online advertisement, and injecting them into legitimate webpages. This is currently one of the top hijacking choices for organized crime.
Malvertising
Malicious advertising, that involves injecting malware or malicious code into an online advertisement. There is little to no user interaction required. In 2016 1.3 billion represented the number of monthly traffic for msn.com who was struck by a malvertising campaign in the same year. It was estimated about 70 percent of those page views delivered a ransomware payload.
Malware
Malicious code or software that is used to damage, disrupt or disable a computer system. Malware can also be used to give a potential hacker access to a computer system and the sensitive information it contains.
Malware-as-a-Service
A business ran on the dark web or black market, that offers an array of services. A user can purchase malicious code, an exploit, a toolkit to deploy the code, or they can illicit the services of a black hat hacker.
Man-in-the-Middle Attack (MitM)
Sometimes referred to a bucket brigade attack, is when an attacker secretly relays or alters communication between two parties. Eavesdropping is an example of an attack that does not alter communication. An attacker can distribute malware that gives them control of a user’s web browser and all of the data sent and received. The hacker can then redirect users to a fake site while creating a connection to the legitimate site and act like a proxy giving them the ability to intercept, read, and modify the traffic between the user and the legitimate site. Banking and e-commerce sites are the biggest targets for MitM attacks. Enforcing the use of endpoint authentication is a way to avoid this type of attack.
Maximum Tolerable Downtime (MTD)
The maximum amount of time an organization can be inoperable before its survival is at risk. When writing a business impact analysis, the sum of the Recovery Time Objective (RTO), which determines the maximum tolerable amount of time needed to bring critical systems back online, and the Work Recovery Time (WRT), which calculates amount of time needed to verify system and data integrity, are used to determine the MTD.
Mazar BOT
Malware that specifically targets Android devices. First emerging in February 2016, the malware is sent via SMS or MMS and contains a link to a malicious app file. Once infected the Mazar BOT gains admin rights to the phone giving the hackers complete access over the phone.
Mobile Code
The ability to for running programs, code or object to be migrated from one machine or application to another.
Mobile Phone Malware
Malicious code written specifically to exploit weaknesses in cell phones. Though cell phones have increased in accessibility and subsequently use, the use of mobile viruses dates back to 2000 when a SMS message containing a malicious payload was discovered having originated from Spain. Now there are viruses that are spread through Bluetooth, games, MMS, SMS, or applications. The Google Play and Apple App store work hard to derail the spread of viruses through their digital application distribution platforms by performing quality control checks, but despite these efforts some malicious programs have been able to get through though they were quickly discovered and removed, but not before causing damage to infected phones. Security experts warn against clicking on urls in text messages sent from unknown numbers and avoid downloading apps from unknown third party sources. Using the digital application distribution platform associated with your device is the safest way to download content.
Moderate Impact
A security item, to include vulnerabilities or cyber threats, that, if exploited, would cause a potentially significant loss, or have major impact to the confidentiality, integrity or availability to the information system. This would include the potential damage to the company’s financials, reputation, ability to function or harm to its people.
Multifactor Authentication
Using two or more authentication types to identify a user. Authentication types include something a user has, like a token, something a user knows, like username or password, and something they are, which is biometrics. An example of multifactor authentication is having to use your thumbprint and a pin to access an application or service.
N
Netiquette
A play on the word etiquette, this is the proper and acceptable way to communicate on the internet. As in using all caps in an email is frowned upon because it suggests the writer is yelling.
Network Sniffing
Is a packet analyser that monitors all of the data that travels over a network. It only takes a snapshot of the traveling data; it does not alter it in any way. Network sniffing can be performed for both legitimate or illegitimate purposes. A network or system administrator can use a network sniffer to monitor traffic, or to troubleshoot bottlenecks or other network issues. Sniffers can be used to read the packet data which could include the source and destination addresses. This could contribute to nefarious use by a bad actor. Sniffers can be difficult to detect making them a security nightmare.
Neutrino
A sub atom ic particle that does not have an electrical charge, and are able to propagate, almost unaffected, over long distances through solid matter. Originally it was believed they had no mass. Now the belief is they have mass but it is extremely small, about a fraction of the mass of a proton. There are three flavors of neutrinos. One related to the electron, one to the particle muon, and a third flavour related to the particle tau.
Non-Repudiation
A system’s ability to prove that a specific user (and that user alone) sent a message, and that the message hasn’t been modified in any way.
Nuclear Exploit Kit
A highly effective exploit kit which appeared in 2010 and gave cyber criminals the opportunity to exploit a wide range of software vulnerabilities in applications such as Flash, Silverlight, PDF reader, Internet Explorer and more. Polymorphic in nature, Nuclear advanced over the years into a notorious tool used for launching Zero Day attacks, spreading ransomware or for data exfiltration operations. Nuclear was often used in highvolume compromises and gave attackers the possibility to customize their attacks to specific locations and computer configurations. This constantly evolving exploit kit features various obfuscation tactics in order to avoid being detected by traditional antivirus and antimalware solutions.
O
Obfuscation
In cyber security, obfuscation is a tactic used to make computer code obscure or unclear, so that humans or certain security programs (such as traditional antivirus) can’t understand it. By using obfuscated code, cyber criminals make it more difficult for cyber security specialists to read, analyze and reverse engineer their malware, preventing them for finding a way to block the malware and suppress the threat.
Offline Attack
A type of attack can happen when an attacker manages to gain access to data through offline means, such as eavesdropping, by penetrating a system and stealing confidential information or looking over someone’s shoulder and obtaining credentials to secret data.
Operation Tovar
Was an international, collaborative effort undertaken by law enforcement agencies and private security companies from multiple countries. The operation’s main objective was to take down the Zeus GameOver botnet, which was believed to be used for distributing the CryptoLocker ransomware. Heimdal Security was also involved in this effort, alongside the U.S. Department of Justice, Europol, the FBI, Microsoft, Symantec, Sophos, Trend Micro and more.
Outside Threat
Refers to an unauthorized person from outside the company’s security perimeter who has the capacity to harm an information system by destroying it, modifying or stealing data from it and disclosing it to unauthorized recipients, and/or causing denial of service.
P
Packet Sniffer
A type of software designed to monitor and record traffic on a network. It can be used for good, to run diagnostic tests and troubleshoot potential problems. But it can also be used for malicious purposes, to snoop in on your private data exchanges. This includes: your web browsing history, your downloads, the people you send emails to, etc.
Parasitic Viruses
A type of virus that’s capable of associating itself with a file or inserting itself into a file. To remain undetected, this virus will give control back to the software it infected. When the operating system looks at the infected software, it will continue to give it rights to run as usual. This means that the virus will be able to copy itself, install itself into memory or make other malicious changes to the infected PC. Although this type of virus appeared early on in the history of computer infections, it’s now making a comeback.
Passive Attack
A type of attack during which cyber criminals try to gain unauthorized access to confidential information. It’s called passive because the attacker only extracts information without changing the data, so it’s more difficult to detect as a result.
Password Sniffing
A tactic used by cyber criminals to harvest passwords. They do this through monitoring and snooping in on network traffic to retrieve password data. If the password is sent over an unencrypted connection (for example, you put in a password on a website that isn’t protected by a security certificate doesn’t start with https), it’s even easier for attackers to get their hands on your passwords.
Patch
A small software update released by manufacturers to fix or improve a software program. A patch can fix security vulnerabilities or other bugs, or enhance the software in terms of features, usability and performance.
Patch Management
Refers to the activity of getting, testing and installing software patches for a network and the systems in it. Patch management includes applying patches both for security purposes and for improving the software programs used in the network and the systems within it.
Patching
The act of applying a software update, which is designed to fix or enhance a software program. This includes both securityrelated updates and improvements in terms of software features and user experience.
Payload
The data cargo transported by a piece of malware onto the affected device or network. The payload contains the fundamental objective of the transmission, which is why the payload is actually the element of the malware that performs the malicious action (i.e. stealing financial information, destroying data, encrypting data on the affected device/network, etc.). When you consider a malware’s damaging consequences, that’s when you can talk about the payload.
Penetration
Occurs when a malicious attacker manages to bypass a system’s defenses and acquire confidential data from that system.
Penetration Testing
A type of attack launched a network or computer system in order to identify security vulnerabilities that can be used to gain unauthorized access to the network’s/system’s features and data. Penetration testing is used to help companies better protect themselves against cyber attacks.
Personal Firewall
A firewall is a network security system designed to prevent unauthorized access to public or private networks. Its purpose is to control incoming and outgoing communication based on a set of rules. A personal firewall is a smaller architectural piece designed to run on personal computers.
Pharming
A type of online scam aimed at extracting information such as passwords, usernames and more from the victim. Pharming means redirecting Internet traffic from a legitimate website to a fake one, so victims can put in their confidential information and attackers can collect it. This type of attacks usually targets banking and ecommerce websites. What makes it difficult to detect is that, even if the victim types in the right URL, the redirect will still take the user to the fake website, operated by IT criminals.
Phishing
A malicious technique used by cyber criminals to gather sensitive information (credit card data, usernames and passwords, etc.) from users. The attackers pretend to be a trustworthy entity to bait the victims into trusting them and revealing their confidential data. The data gathered through phishing can be used for financial theft, identity theft, to gain unauthorized access to the victim’s accounts or to accounts they have access to, to blackmail the victim and more.
Plaintext
Unencrypted, simple text. This is what it is called before it’s encrypted or after being decrypted. If passwords, or other sensitive data is stored in plaintext, it means that they can be read by anyone. This is a big lapse in cyber security.
Polymorphic Code
Is capable of mutating and changing while maintaining the initial algorithm. Each time it runs, the code morphs, but keeps its function. This tactic is usually used by malware creators to keep their attacks covert and undetected by reactive security solutions.
Polymorphic Engine
Is used to generate polymorphic malware. This is a computer program capable of transforming a program in derivative versions (different versions of code), but which perform the same function. Polymorphic engines rely on encryption and obfuscation to work, and are used almost exclusively by malware creators and other cyber criminals. Using this type of engine, malicious hackers can create malware types that can’t be detected by antivirus engines or have a very low detection rate.
Polymorphic Malware
Is capable of transforming itself into various derivative versions that perform the same function and have the same objective. By using obfuscated code and constantly changing their code, polymorphic malware strains can infect information systems without being detected by solutions such as traditional malware, which is a key asset in the perspective of cyber criminals.
Polymorphic Packer
A software tool used for bundling up different types of malware in a single package (for example, in an email attachment). Malicious actors use polymorphic packers because they’re able to transform over time, so they can remain undetected by traditional security solutions for longer periods of time.
Pop-Up Ad
Windows used for advertising. They appear on top of your browser window when you’re on a website, and they’re often annoying because they are intrusive. While they’re not malicious by nature, sometimes they can become infected with malware, if a cyber attacker compromises the advertising networks that’s serving the popup.
Potential Impact
When a cyber security risk is assessed, the loss of the 3 essential factors is considered: confidentiality, integrity and availability. If a risk becomes a cyber attack, it can have low, moderate or high impact.
Potentially Unwanted Application (PUA)
Applications you might install on your devices which contain adware, which may install toolbars or have confusing purposes. These applications can be nonmalicious by nature, but they come with the risk of potentially becoming malicious. Users must seriously consider the risks before they install this type of applications.
Poweliks
A Trojan designed to perform click-fraud operations on the affected PC. Its specific character is given by the fact that it’s a type of file less malware, which makes it very difficult to be detected by traditional, signature-based anti-malware and antivirus solutions. Poweliks installs itself in the Windows registry, where it can inject itself into essential Windows functions. This also helps Poweliks achieve persistence on the infected PC. This malware can be used to also download other threats onto the victim’s PC, such as ransomware delivered through malvertising.
Power Virus
This type of computer virus is capable of executing a specific code that triggers the maximum CPU power dissipation (heat generated by the central processing units). Consequently, the computer’s cooling ability would be impaired and the virus could cause the system to overheat. One of the potential effects is permanent physical damage to the hardware. Power viruses are used both by good actors, to test components, but can also be used by cyber criminals.
Proprietary Information (PROPIN)
Is made of all the data that is unique to a company and ensures its ability to stay competitive. This can include customer details, technical information, costs and trade secrets. If cyber criminals compromise or reveal this information, the impact on the company can be quite severe, as we’ve seen in major data breaches.
Proxy Server
Is a gobetween a computer and the Internet. Proxies are used to enhance cyber safety because they prevent attackers from invading a computer/a private network directly.
R
Ransomware
A type of malware used to hold a system hostage by encrypting files found on a system until the victim pays a fee for the decryption key.
Realtime Reaction
The immediate response to an attempt to compromise and infiltrate a system. This could be the response time for an Intrusion Detection System (IDS). Understanding the realtime reaction aides an organization in understanding their security posture and assess what safeguards they should put in place.
Remote Access
Gaining entry to a computer or network from a physical distance. This means a user can log into a computer that is at work from home. Remote access can be used by employees that telecommute, or system administrators that need to gain access to computers to troubleshoot issues.
Remote Access Trojan (RAT)
A malware tool that is used to create a back door on a target computer for the bad actor to gain administrative control. The RAT could be sent as a malicious email attachment, or embedded in an application like a game. Once the RAT is installed the bad actor could install a keylogger, access sensitive data, format the drives, delete or alter files, or could use the infected computer to infect other computers and create a BOTNET.
Remote Diagnostics/Maintenance
When an authorized system administrator or other computer technician uses remote access services to troubleshoot, diagnose and fix issues on a computer system. Some organizations have outsourced their technical department to third party vendors who do not reside in the state, or at times even the country. These physically distant administrators can still remotely monitor and administer the systems under their care.
Replay Attacks
Also called a playback attack, is a type of maninthemiddle attack where a data transmission steam between two parties is maliciously or fraudulently repeated or delayed. This could lead to a redundant order of an item.
Residual Risk
The hazards that remain once all efforts to identify and eliminate threats are completed. Any identified threat has some level of residual risk that remains. When organizations identify the residual risks they should identify the requirements in relation to the risk, determine their own strengths and weaknesses, and identify potential options to offset the risks.
Resilience
Refers to an organization’s ability to restore its system’s usability and functionality during and after a cyber attack. The importance of the organization’s cyber resiliency should be evaluated and examined during the creation of disaster recovery and business continuity plans.
Reverse Engineering
Taking an object apart to see how it works. This is used to analyse, duplicate or enhance the product. In cyber security, reverse engineering is often used to gain a better understanding of malware. Reverse engineering malware aids in creating better safeguards.
Risk Assessment
An analysis of an organization’s security posture to evaluate vulnerabilities and risks and their potential impact if exploited.
Risk Management
An organizational process for identifying assessing and controlling threats. Risk management includes performing a risk assessment and creating a risk mitigation strategy. Risk management is a continuous process that should be reviewed according to industry standards.
Risk Mitigation
The process of evaluating, prioritizing, and managing mitigation tactics and measures.
Rogue Security Software
Fraudulent and malicious software used to mislead users into thinking they have a virus and need to purchase software to remove it. This is similar to both ransomware and scareware. The bad actor can use the fraudulent antivirus to extort more money out of the victim to have the rogue software removed.
Rogueware
Another type of malicious software that pretends to be a harmless and useful program like antivirus software, in order to trick its victims into paying money, or it can be used to steal sensitive data from the infected system.
Root Cause Analysis (RCA)
the process used to identify the starting point of a security risk.
Rootkit
Tools used to gain administrative access to a computer or network. A bad actor could install a rootkit after exploiting a vulnerability which allowed them to gain user level access to the system. Once installed they can discretely elevate their privileges. With elevated privileges they can alter log files, gather information, or exploit other systems on the network. Rootkits can have embedded spyware that is used to gather keystrokes and monitor traffic.
S
Safeguards
Security controls, either logical, physical, technical or administrative, put in place to protect a system from unauthorized access or data spillage.
Scareware
Malware used to frighten an user into purchasing or downloading malicious or unnecessary software in an effort to protect their computer. Scareware generates popups that suggest the system is infected with a virus and uses clickjacking features in the pop up to force the user to navigate to the website to purchase the download. Clickjacking means once the popup appears clicking any of the options will just lead to the website. To close the window, the user would need to right click on the item and select close or use the task manager to close the browser.
Scavenging
The act of searching through a system’s data residue trying to find sensitive data. Some software programs create temporary data files that stay on the system until the next time the program is launched. During this time before these files were overwritten, they can be obtained and copied. Scavenging these files can be used by cyber criminals to gather information about the user.
Security Controls
Physical or logical safeguards and/or countermeasures used to detect, avoid, or counteract risks to a system. In relation to cybersecurity, these are the controls used to protect the confidentiality, integrity, and/or availability of data.
Security Impact Analysis (SIA)
A study performed by an organization to determine the level of changes required to alter the state of security on the system. This study is apart of the System Development Lifecycle (SDLC) and is used to determine the impact of potential changes to the system and decide if additional security requirements are required.
Security Requirements
Describes both the functional and non functional conditions that need to be fulfilled in order to achieve the desired security attributes of the system. The functional requirements are the objectives that need to be satisfied for the system to pass inspection. These include things like authentication controls, authorization, backup schedule, serverclusters, etc. Non functional security requirements relate to the architecture and its robustness. These are the industry best practices for minimal performance and scalability.
Sensitive Information
Data that is not open to the general public. It is considered confidential to certain groups of people. For example, health information is considered sensitive and is only authorized to be viewed by the healthcare providers assigned to treat the individual and the individual themselves.
Shylock
Based on the leaked ZeuS code, it is malware designed to steal a user’s banking credentials for malicious purposes. It uses maninthemiddle attacks along with fake digital certificates in order to intercept data and inject code, particularly malicious Javascript, into banking websites. It uses a Domain Generation Algorithm (DGA) to hide its traffic and remain undetected by antivirus solutions. The malware gathers information from the infected websites, but it has been used to open fake customer service chat sessions to trick customers into giving their account information.
Signature
In cyber security this is the identifiable, differentiating pattern associated with malware. It is a unique arrangement of information. Signatures can be analysed and stored in a database and then used to update antivirus software to help protect against future attacks.
Skimming
Using a tag reader to collect information about a person’s tag. Credit card fraud often happens due to a maliciously placed skimmer collecting data from a card’s magnetic stripe and copying this information to a blank card’s magnetic stripe.
Sniffer
A packet analyser that is used to monitor and analyse network traffic. It can legitimately be used to determine bottlenecks and to troubleshoot network issues. Illegitimate uses are to capture and harvest data transmitted over the network for malicious purposes.
Social Engineering
Using psychological deception or manipulation of individual to divulge confidential, sensitive and personal information that can then be used for nefarious purposes. The human being is regarded as the weakest link in the security chain so it may be easier and less time consuming to trick a user into giving you their password or enough information to guess it, then to use a logical attack to get it.
Spam
Unwanted and unsolicited emails that are often sent in bulk. Spambots are automated programs that crawl through the internet to gather email addresses and create distribution lists. Spam emails will often have multiple recipients with similar email names. These types of emails are often advertisements for various products or services.
Spam Filtering Software
Is an email program or service used to detect and discard of unsolicited emails. The software may look for certain keywords, phrases, or suspicious word patterns or word frequency. Once an email is determined to be spam it is sent to a separate folder or deleted instead of making its way to the user’s inbox. It is still possible to receive spam emails, or to have legitimate emails get discarded. These are called false positives.
Spear Phishing
The practice of sending fraudulent emails that have been spoofed to appear as though they came from a legitimate or trusted source. These emails are used to target specific organizations to gain access to sensitive data.
Spillage
When data leaks from a secure location to a less secure one, potentially giving people who are not authorized to view the information access. This term is often used to describe when classified information is spilled over to a system with a lower classification.
Spoofing (Email)
Forges the information in the email header, to make the message appear it originated from a legitimate source or anywhere other than where it actually came from. Email spoofing is used in phishing and spam campaigns to convince the user the email is ok to open and to trust the links embedded inside.
Spyphishing
A type of malware that combines tactics from both phishing and spyware campaigns. It makes use of spyware techniques like Trojans by having the intended victim click a phishing link, and it is malware intended to spy on the user to gather financial credentials or other sensitive information. Merging these tactics makes spyphishing capable of downloading applications that silently run on the infected computer and discreetly send the collected information back to the creator of the spyphishing message.
Spyware
A type of malware that is used steal sensitive information from the computer it infects. Once installed it monitors and stores the victim’s keystrokes, browser history and current internet activity to collect login information, including usernames and passwords, particularly to financial sites. Spyware can also be installed for innocuous reasons like employers monitoring their employees online activity while using company assets, parents monitoring their kids activity while online, or online businesses installing cookies to track users viewing history. In these cases spyware may be referred to as tracking software.
SQL Injection
A malicious payload of SQL statements are injected into a website in order to take control of its database server.
SSL/Secure Sockets Layer
The standard security technology that establishes an encrypted link between a web server and browser or email server and client. This link protects the confidentiality and integrity of the data. Websites that use ssl will start with https. Inputting any type of data in websites that don’t use SSL is a potential risk.
Stealware
A type of malware that uses stealth measures to transfer money or data to a malicious third party. Uses an HTTP cookie that redirects the commissions earned by a site that referrers users to another site.
Strong Authentication
Forcing the use of multi factor or stringent authentication methods to ensure the security of the system.
Supply Chain Attack
A cyberattack that exploits vulnerabilities within a supply network. The hardware or software that is purchased by companies can be manipulated or embedded with viruses during the manufacturing stage.
Suppression Measure
An action used to reduce the potential security risks associated with an information system. During the risk mitigation process suppression measures are identified and put into policies and procedures for the organization.
Suspicious Files and Behavior
When files do questionable things or exhibit unusual behavior, they are considered suspicious. Files that begin copying themselves to different locations within the file structure, may be showing signs of a virus infection. These types of actions are how antivirus software flag files as suspicious.
System Administrator/Sysadmin
The person responsible to maintaining the information systems within an organization. They ensure the system is up to date with the latest patches, they reset users accesses when they forget their password or login information, they install updates, and install the hardware and software for new systems.
System integrity
This state defines an information system which is able to perform its dedicated functions at optimal parameters, without intrusion or manipulation (either intended or not).
T
Tampering
Intentionally modifying an asset to force it to execute unauthorized actions. There has been an increase in the production of antitamper mechanisms, both logical and physical types, to counter this risk.
Targeted Threat
A type of malware designed and destined for a specific person, organization, or industry. They are designed to gather sensitive information. The government sector is the industry this type of attack is used most. Targeted threats are delivered via phishing emails, and deploy zero day vulnerabilities.
TeslaCrypt
A ransomware Trojan that has become defunct due to the master key being released by the developers and a free decryption tool being available on the web.
Threat
anything that could destroy, alter, or interrupt the use and availability of a service or valued item. Threats can be either human or non human. Both a hacker and a flood could render an information system useless.
Threat Analysis
Examining the current security posture of a system to determine and evaluate potential areas of weakness and points of vulnerability. This is a core area of a risk assessment.
Threat assessment
an approach to evaluate the potential risk posed to an organization and their people an information systems. It is used as a way to create a prevention strategy to avoid falling victim to the potential threat.
Threat Event
A potentially harmful situation that could have undesirable consequences or impact to an information system. This could include anything from a hacker exploiting a vulnerability to a tornado destroying a data center.
Threat Monitoring
The analysis, assessment and review of security related data to examine how certain events could endanger the system’s security posture. This data is used to detect both attempted or successful security breaches.
Threat Scenario
During a risk assessment, the impact, potential vulnerabilities and threats are evaluated to assess an organizations likely threat sources and ways they could exploit the information systems.
Threat Shifting
The adoption of new countermeasures based on current cyber attacks and tactics. This is also the response from adversaries who change their characteristics to overcome the newly implemented (or what they perceived to be implemented) safeguards and countermeasures.
Threat Source
The method or object used by a cyber attacker to exploit a vulnerability in an system.
Time Bomb
Malicious code often contain logic bombs and stays dormant on a system for a certain amount of time then executes its malicious payload once certain criteria is met. This is an effective way to launch a virus in a stealth manner and avoid detection.
Time-Dependent Password
Are onetime use, dynamic, passwords normally based on the Timebased OneTime Password algorithm. This algorithm produces a one time use password based on a shared secret key and the current time. It is often used in twofactor authentication systems.
Token
A physical device that provides authentication in order to gain access to a logically or electronically restricted resource. A token can create a randomized number, store a digital signature, cryptographic keys or even biometric data. Some even store passwords. Token are normally used in two, or multi factor authentication mechanisms. Tokens can be key fobs, smart cards, or USB and some newer designs come in tamper resistant packaging for increased security.
Tracking Cookie
Bits of text stored on a computer, that gathers information about a users browsing history. This information relates to the user’s browsing preferences, shopping cart contents or other related data to send customized advertisements based on those preferences.
Traffic Analysis
Is when network traffic is examined in order to better understand and identify the traffic patterns in order to create metrics and statistics. This data can be used to fine tune the monitoring efforts of an anomaly based IDS. Traffic analysis can be used to enhance security, but since it examines who is talking to whom, what time(s), and the length their communications last, or the size of the packets transmitted, this information could be useful to a potential attacker if it is not well protected.
Traffic Encryption Key (TEK)
In network security this is a key used to encrypt traffic. A TEK is normally used in symmetrical encryption schemes. They are changed often. In some systems daily, some as quickly as hourly, some are changed with every message.
Trojan (Trojan horse)
Named after the Greek legend, this is a sneaky way to infect a computer with a malicious program that appears to be a legitimate program and inconspicuous in nature leading the receiver to believe it is safe to open. Once installed, a hacker now has remote access to the infected computer. This gives them the ability to spy on the user, steal sensitive data, or destroy and manipulate sensitive files. Trojans are different from viruses and worms as it is unable to self replicate.
Typhoid adware
A man-in-the-middle attack that is used to inject advertisements into webpages that an user visits while using a public network. The advertisements can be displayed on the user’s computer even if there is no adware installed. This makes depending on antivirus to detect the adware, difficult.
U
Unauthorized Access
When a person gains access to information, devices or restricted locations without having permission, or the proper credentials.
Unauthorized Disclosure
When any type of sensitive or private information is released to the public or any person(s) not authorized to see the information.
URL injection
The act of inserting malicious code into a website. The code could be used to redirect the site to an alternate, potentially malicious, website. The code could also be used to force the webserver hosting the site to participate in a denialofservice attack, or to create new pages on the site that could contain malicious links or spam words.
V
Vaccine
A computer program used to discover and disable computer viruses. Vaccines are written to combat after a virus attack. After analysing the code that makes up a computer virus, the virus signature can normally be identified. Identifying the signature is the first step in creating a vaccine to combat it.
Vawtrak/Neverquest
Vawtrak which is also known as neverquest, is malware used to gain unauthorized banking access. The malware infects machines then joins them into a botnet that is used to collect online banking credentials. The malware is used to login to unsuspecting victims bank accounts, and transfer money into the accounts of the hackers (the botnet administrators). One way this malware works is it injects DLL into a web browser, so that once the targeted websites are visited, extra code can be injected into the webpage allowing the hacker to bypass authentication methods.
Virtual Private Network/VPN
Making use of the internet to create a private network that is secured by making use of encryption and tunnel technologies to ensure only authorized users access the private network. Many companies use VPNs to allow their employees to access the company intranet while being on an external site. For example, an employee can log into their company’s VPN from their home computer by accessing a specific URL, and supplying some form of authentication then the service creates an encrypted tunnel into the company’s network.
Virus
A malicious program that is installed onto a computer system normally without the user’s knowledge. It replicates itself by copying over to a program or boot sector. A virus can be used to cause harm and destruction to a computer, it’s files, applications or it can be used to steal personal data or create a backdoor into a system giving an unauthorized user access to the system. Viruses, worms, Trojans, spyware, ransomware, and malware are often used interchangeably, though there are differences. Many of these are considered types of viruses as they all are used for malicious purposes.
Virus Hoax
A misleading, false message, warning about a computer virus that does not actually exist on the computer. The warning normally comes in an email message. These messages can create a mindset to ignore legitimate virus warnings causing a potential vulnerability if users do not remain diligent. Some virus hoaxes have actually been used to send viruses. There was an AOL4FREE virus hoax warning, that later was used to distribute a Trojan.
Vishing
An attempt to scam a would be victim by using the telephone to make fraudulent phone calls pretending to be from a reputable company. The point of vishing is to gain financial or other personal information.
Vulnerability
An exploitable weakness within a computer system, or application. A flaw that could allow unauthorized access or compromise.
W
Wabbits
At times called a fork bomb or rabbit virus, is a denial of service attack, that will continue to replicate itself until it consumes all of the system resources.
Watering Hole
A type of computer attack, where the perpetrators target a particular group. The bad actor will work to gauge which websites the particular group will visit and infects those sites with malware hoping at least one member of the group falls victim to the attack.
Web bug
Also known as a web beacon, is an embedded object in a web page or email that is used to track when content has been accessed and can help to create analytics. Web bugs are normally invisible to the user. Other names are also tracking bug, tag, or page tag.
Web Content Filtering Software
a program used to restrict access to certain websites that could be deemed offensive or potentially harmful. Web content filtering software is used often by parents and corporations. Content filtering software can be programmed to look for certain word strings, and is mostly used to avoid pornographic websites.
Web-Attacker
An exploit kit that is considered a simplified, “doityourself” malware creator. Even a novice user could manage to create and send some malware that would be used to infect a computer. It contains all of the scripts needed to create the malware and send the spam emails used to lure potential victims to malicious websites.
Whaling
a type of phishing campaign, but the target is only highprofile users like celebrities, executives, or wealthy users. Social engineering, email or content spoofing are used to try and gain personal or corporate information from the intended victim. Whaling email attempts and websites are much more personalized than your average phishing emails. Because of the added details, these type of attacks are much more difficult to identify as being malicious.
White Hat Hacker
Also considered an ethical hacker. One who performs pen testing, or other hacking activities for the purpose of identifying vulnerabilities so an organization can protect themselves against potential black hat hackers, who exploit vulnerabilities with malicious intent.
Whitelist
A registry of entitled or accepted entities within a domain. Whitelisting is the opposite of blacklisting which is listing entities that should be denied or are unrecognized. In IT, there are email, application, network, or user whitelist. For email whitelists, a list of email addresses or IP addresses is created to identify who it is safe to receive email from. System administrators can create network whitelists to identify which mac addresses are allowed on the network. They can also create application whitelists which identify which applications or software are considered safe to operate within an environment. This is a useful approach in combating malware.
Worm
A type of selfreplicating malicious virus that is able to spread to various computers across a network. Worms exploit vulnerabilities to gain access. They cause damage by corrupting/modifying files or consuming systems resources limiting available bandwidth. Worms that are used cause harm to files are considered to have a payload. The payload is the malicious code used to corrupt, delete, alter, encrypt or exfiltrate files. Worms that are considered payload free are just used to consume resources. Worms that are used to encrypt files are used in ransomware attacks. Many current ransomware attacks used worms to gain network access. Spora is a recent worm that used USB drives to spread and encrypt files.
Z
Zero Day
a type of attack or vulnerability that happens or is exploited (respectively) before a security vulnerability has been identified and a notice or security patch is released to the public. Meaning, there are zero days for a patch, fix, or update to be created and released.
Zero Day Virus/Malware
This is malware that was previously unknown and no signatures are yet available to identify and defend against this type of malware or virus.
Zero-Day Attack
Is a type of attack that happens before a security vulnerability has been identified and a notice or security patch is released to the public. Meaning, there are zero days for a patch, fix, or update to be created and released. These are the hardest type of attacks to defend because the vulnerabilities are not yet known.
Zeus GameOver/Zeus P2P
Uses PeertoPeer (P2P) communications to create a Botnet used, mostly, to steal banking credentials from its victims. The unsuspecting systems that become part of the GameOver Zues (GOZ) botnet are used to send spam and participate in Distributed Denial of Service (DDoS) attacks.
ZeuS/Zbot
Is a very stealth, key logging and form grabbing, type of Trojan horse that is used to perform a maninthemiddle attack on various Windows platforms. ZeuS is mainly used to steal banking credentials from unsuspecting users.
Zip Bomb
Also referred to as “zip of death”, is a zip or archive file packed with malicious code. The file appears small in size during transit to try to avoid detection. During the unpacking operation the file size increases to an astronomical amount, consuming most or all of the system’s resources to open. The 42.zip zip bomb, for example, appeared to be a 42 kilobyte archive, but was actually 4.5 petabytes of compressed data. Zip bombs are often used to disable antivirus software.
Zombie
A compromised computer that has been taken over by a hacker. A zombie normally becomes a part of a botnet, that is used to perform malicious acts like sending spam, or helping to conduct a DoS or DDoS. The true system owners of zombies are normally unaware a hacker has taken control of their machine.