Cyber Security Glossary
Cybersecurity terminology is explained in plain English.
I’ve not met anyone yet, who can keep up with all the cybersecurity terms, jargon, and acronyms are thrown about. So if you want to know your phish from your whales, I’ve* compiled this cybersecurity glossary of terminology and acronyms I’ve come across.
Let me know if I’ve missed anything.
Advanced Persistent Threat (APT)
A cyberattack that uses sophisticated techniques to conduct cyber espionage or other malicious activity is ongoing against governments and companies. Advanced Persistent Threat attacks typically are driven by an adversary with sophisticated expertise and significant resources – frequently associated with nation-state players.
These cyber-attacks tend to come from multiple entry points and may use several attack vectors (e.g. cyber, physical, deception). Once a system has been breached, it can be complicated to end the attack.
A notification that a cybersecurity threat to your information system has been detected or is underway.
Antivirus software protects your computer from viruses, spyware and other malicious programs. It can also help protect you against identity theft by scanning documents for hidden text or images that could be used to steal personal information, such as credit card numbers. There are many different types of antivirus software available today, including free versions and paid-for commercial products.
A distinctive pattern or characteristic that can help link one attack to another, identifying those who may have possibly carried out an attack and possible solutions to help stop it in the future.
The agent behind the threat: a malicious actor who seeks to change, destroy, steal or disable the information held on computer systems and then exploit the outcome.
The process of verifying the identity or other attributes of a user, method or device.
It is observing the activities of users, information systems, and processes. Can be used to measure these activities against organisational policies and rule, baselines of everyday activity, thresholds, and trends.
A list of entities (users, devices) that are either blocked, denied privileges or access.
Blue Team are the defenders, generally, the internal security team that defends against both real attackers and Red Teams, attackers, in a virtual cyber-attack or penetration test.
Bot is just a short word for robot. A bot is a software program that performs repetitive tasks; they generally operate on the internet. While some bot traffic is from good bots, bad bots can negatively impact a website or application.
Botnets are networks made up of remote-controlled computers or bots. These computers have been infected with malware that allows them to be remotely controlled. Some botnets consist of hundreds of thousands — or even millions — of computers.
A data breach is the unauthorised access of data, computer systems or networks.
Bring Your Own Device (BYOD)
Bring your own device (BYOD) allows an organisation’s staff to use their own devices in the workplace and use those devices to access the organisation’s systems, applications, and information securely. This can mean using their smartphones, tablets or laptops for work.
Brute force attack
An attacker uses a simple script that will attempt to brute-force the password of any user on your system by entering a considerable quantity of alphanumeric combinations to discover passwords and gain access to a system. Most attackers use an online dictionary and try every word in it, one at a time, until they get lucky or run out of terms.
A relatively minor defect or flaw in an information system or device.
A digital certificate is a form of digital identity verification that allows a computer, user or organisation to exchange information securely.
Certified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) is one of the most recognised qualifications for information security audit control, assurance, and security professionals.
Certified Information Systems Security Manager (CISM)
An advanced professional certification from ISACA for professionals with the knowledge and experience to develop and manage an enterprise information security program.
Certified Information Systems Security Professional (CISSP)
A management certification for CISOs and other information security leaders.
An algorithm for encrypting and decrypting data. Sometimes used interchangeably with the word ‘code’.
Computer Incident Response Team (CIRT)
A team of investigators focused on network security breaches. Their role is to analyse how the incident took place and what information has been affected/lost. They then use this insight to respond.
Computer Network Defence (CND)
Typically applied to military and government security, CND protects information systems and networks against cyber attacks and intrusions.
Control Objectives for Information and Related Technologies (COBIT)
A business framework developed and continually updated by ISACA comprising practices, tools and models for management and governance of information technology, including risk management and compliance.
Information used to authenticate a user’s identity – for example, password, token, certificate.
Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a software vulnerability usually found in Web applications that allows online criminals to inject client-side script into pages that other users view.
The cross-site scripting vulnerability can be employed at the same time by attackers to over-write access controls. This issue can become a significant security risk unless the network administrator or the website owner doesn’t take the necessary security means.
The study of encoding. Also, code/cypher/mathematical techniques to secure data and provide authentication of entities and data.
Deliberate and malicious attempts to damage, disrupt or gain access to computer systems, networks or devices, via cyber means.
A UK Government-backed self-assessment certification that helps you protect against cyber-attacks while also demonstrating to others that your organisation is taking measures against cybercrime.
A breach of a system or service’s security policy – most commonly;
- Attempts to gain unauthorised access to a system and/or to data.
- Unauthorised use of systems for the processing or storing of data.
- Changes to a system’s firmware, software or hardware without the system owner’s consent.
- Malicious disruption and/or denial of service.
Cybersecurity is a collective term used to describe the protection of electronic and computer networks, programs and data against malicious attacks and unauthorised access.
Data at rest
Data that is in persistent storage – i.e. data that remains on a device whether or not it is connected to a power source – such as hard disks, removable media or backups.
The unauthorised movement or disclosure of information, usually to a party outside the organisation.
The quality of data that is complete, intact, and trusted and has not been modified or destroyed in an unauthorised or accidental manner.
No longer having data, whether because it has been stolen, deleted, or its location was forgotten.
Data loss prevention (DLP)
A security strategy and related programs to prevent sensitive data from passing a secure boundary.
The measures taken to protect confidential data and prevent it from being accidentally or deliberately disclosed, compromised, corrupted or destroyed.
The process of deciphering coded text into its original plain form.
Denial of service (DoS)
A denial-of-service (DoS) attack is a type of attack where someone maliciously tries to render a computer, server or another device unavailable to its users by interrupting the device’s normal functioning. Denial Of Service attacks usually works by overwhelming or flooding the targeted machine with traffic until regular network traffic is unable to be processed, resulting in a denial of service to users of the devices. A Denial of Service attack is generally made by using a single computer to carry out the attack.
The two main types of DOS attacks are Buffer Overflow and Flood Attack.
The attacker uses known dictionary words, phrases or common passwords to access your information system. A Dictionary Attack is a type of brute force attack.
Distributed denial of service (DDoS)
A Distributed Denial of Service (DDoS) attack is where someone tries to maliciously disrupt the regular network traffic of a server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
DDoS attacks generally achieve effectiveness by using multiple compromised computer systems as sources of attack traffic. Compromised devices can include computers and other networked resources such as IoT devices.
From a high level, a DDoS attack is like an unexpected traffic jam clogging up the motorway, preventing the regular traffic from arriving at its destination.
Malicious software or a virus installed on a device without the user’s knowledge or consent is sometimes known as a drive-by download.
Electronic warfare (EW)
The use of energy, such as radio waves or lasers, to disrupt or disable the enemy’s electronics. An example would be frequency jamming to disable communication equipment.
The use of a code to convert a plain text to ciphertext.
The use of a cypher to protect the information, making it unreadable to anyone who doesn’t have the key to decode it.
A collective term for internet-capable computer devices connected to a network – for example, modern smartphones, laptops and tablets are all endpoints.
The use of hacking techniques for legitimate purposes – i.e. to identify and test cybersecurity vulnerabilities. The actors in this instance are sometimes referred to as ‘white hat hackers.
The transfer of information from a system without consent.
The act of taking advantage of a vulnerability in an information system. They are also used to describe a technique that is used to breach network security.
Computer programs that are designed to discover vulnerabilities in software apps and use them to gain access to a system or network. Once they have infiltrated a system, they will feed it with harmful code.
A virtual boundary that surrounds a network or device that is used to protect it from unwanted access. It can be hardware or software.
Government Communications Headquarters, more often known as GCHQ, is a security and intelligence organisation responsible for providing signals intelligence (SIGINT) and information to the government and armed forces of the United KingdomThis organisation work with foreign intelligence organisations to help combat terrorism, cybercrime and child pornography.
General Data Protection Regulations. GDPR is European legislation designed to prevent data misuse by giving individuals greater control over how their personally identifiable information is used online.
Governance, Risk Management and Compliance (GRC)
Three aspects of organisational management that aim to ensure the organisation and its people behave ethically, run the organisation effectively, take appropriate measures to mitigate risks and maintain compliance with internal policies and external regulations.
Someone who breaks into computers, systems and networks.
Using a mathematical algorithm to disguise a piece of data.
A decoy system or network that attracts potential attackers, protecting existing systems by detecting attacks or deflecting them. A good tool for learning about attack styles. Multiple honeypots form a honeynet.
Any breach of the security rules for a system or service. This includes attempts to gain unauthorised access, the unauthorised use of systems to process or store data, malicious disruption or denial of service, and changes to a system’s firmware, software or hardware without the owner’s consent.
Incident response plan
A predetermined plan of action is to be undertaken in the event of a cyber incident.
A signal that a cyber incident may have occurred or is in progress.
Industrial Control System (ICS)
An information system used to control industrial processes or infrastructure assets. Commonly found in manufacturing industries, product handling, production and distribution.
Information security policy
The directives, regulations, rules, and practices that form an organisation’s strategy for managing, protecting and distributing information.
An independent body that develops voluntary industry standards, including two major information security management standards: ISO 27001 and ISO 27002.
Internet of things (IoT)
The ability of everyday objects, such as kettles, fridges and televisions, to connect to the internet.
Internet Service Provider
An Internet Service Provider (ISP) is a company that provides access to the internet for personal and or business customers. ISPs make it possible for their customers to surf the web, shop online, conduct business, and connect with family and friends—all for a fee. ISPs may also provide other services, including email services, domain registration, web hosting, and browser packages.
Intrusion Detection System/Intrusion Detection and Prevention (IDS/IDP)
Hardware or software that finds and helps prevent malicious activity on corporate networks.
A tactic used by attackers to supply a false IP address in an attempt to trick the user or a cybersecurity solution into believing it is a legitimate actor.
The gold standard in information security management systems (ISMS) demonstrating the highest level of accreditation.
The removal of a device’s security restrictions to install unofficial apps and make modifications to the system. They are typically applied to a mobile phone.
The numerical value used to encrypt and decrypt the ciphertext.
A type of software that tracks the keystrokes of your keyboard to monitor a users activity, threat actors can then use this information to find out your password or sensitive information.
A piece of code that carries a secret set of instructions or commands. These commands are loaded onto your system and triggered by a particular action. A logic bomb typically performs a malicious activity, such as deleting files, uploading malicious software and other malicious acts.
A malicious code that uses the macro programming capabilities of a document’s application to carry out misdeeds replicate itself and spread throughout a system.
Program code designed for evil and intended to hurt the confidentiality, integrity or availability of an information system.
Malicious software, more often known as malware, is any software that can harm a computer system. Please see below for more information on Malicious Software.
The use of online advertising to deliver malware.
Malware, short for malicious software, is a blanket term for viruses, worms, trojans and other malicious computer programs hackers use to attack computer systems and access sensitive information. As Microsoft puts it, “[malware] is a catch-all term to refer to any malicious software designed to cause damage to a single computer, server, or computer network.”
In other words, malicious software is identified as malware based on its intended use rather than a particular technique or technology used to build it.
This means that the difference is between malware and a virus is roughly: a virus is a type of malware, so all viruses are malware…. but not every piece of malicious software is a virus.
Man-in-the-middle Attack (MitM)
Cybercriminals interpose themselves between the victim and the website the victim is trying to reach, either to harvest the information being transmitted or alter it, sometimes abbreviated as MITM, MIM, MiM or MITMA.
The steps taken to minimise and address cybersecurity risks.
Mobile Device Management (MDM)
Mobile device management (MDM) is a type of security software specifically for monitoring, managing and securing mobile, tablet and other devices, allowing remote administration and management of the device.
Part of GCHQ. A UK government organisation set up to help protect critical services from cyber-attacks.
A U.S. federal agency. Responsible for the ‘Framework for Improving Critical Infrastructure Cybersecurity’ – voluntary guidelines used by organisations to manage their security risks.
A framework used in the U.S. to help businesses prepare their defence against cybercrime.
An operating system, commonly referred to as an OS, is a large and usually powerful program that manages and controls both the hardware and software on a computer. All computers and computer-like devices require an operating system, including your laptop, tablet, desktop, smartphone, smartwatch, and router.
Examples of Operating systems are Microsoft Windows (Windows 10, Windows 8, Windows 7, Windows Vista, and Windows XP), Apple’s macOS (formerly OS X), Chrome OS, BlackBerry Tablet OS, and various versions of Linux, an open-source operating system.
Software designed to monitor and record network traffic. It can be used for good or evil – either to run diagnostics and troubleshoot problems or snoop in on private data exchanges, such as browsing history, downloads, etc.
Attackers try to gain access to confidential information to extract it. Because they’re not trying to change the data, this type of attack is more difficult to detect – hence the name ‘passive’.
A technique used to harvest passwords by monitoring or snooping on network traffic to retrieve password data.
Developers provide patches (updates) to fix flaws in software. Patch management is the activity of getting, testing and installing software patches for a network and the systems within it.
Applying updates (patches) to firmware or software, whether to improve security or enhance performance.
The element of the malware that performs the malicious action – the cybersecurity equivalent of the explosive charge of a missile. They are usually spoken of in terms of the damage caused.
Payment Card Industry Data Security Standard (PCI-DSS)
The security practices of the global payment card industry. Retailers and service providers that accept card payments (both debit and credit) must comply with PCI-DSS.
A slang term for a penetration test or penetration testing.
A test designed to explore and expose security weaknesses in an information system to be fixed.
Personally Identifiable Information (PII)
The data enables an individual to be identified.
An attack on network infrastructure where a user is redirected to an illegitimate website, despite having entered the correct address.
Mass emails asking for sensitive information or pushing them to visit a fake website. These emails are generally untargeted.
A go-between a computer and the internet is used to enhance cybersecurity by directly preventing attackers from accessing a computer or private network.
Purple Teams are a mixture of defenders and attackers who are there to maximise the capability of the Red and Blue teams. Purple teamers do this by integrating the defensive tactics and controls from the Blue Team with the threats and vulnerabilities found by the Red Team into a single way forward. Ideally, Purple shouldn’t be a team but rather a permanent dynamic between Red and Blue.
Ransomware is a type of malware (malicious software) that encrypts all the data on a PC or mobile device, blocking the data owner’s access to it.
After the infection happens, the victim receives a message telling them that a certain amount of money must be paid (usually in Bitcoins) to get the decryption key. Usually, there is also a time limit for the ransom to be paid. There is no guarantee that the decryption key will be handed over if the victim pays the ransom. The most reliable solution is to back up your data in at least three different places (for redundancy) and keep those backups up to date, so you don’t lose substantial progress.
A group authorised and organised to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s cybersecurity posture.
Additional or alternative systems, sub-systems, assets, or processes maintain a degree of overall functionality in case of loss or failure of another system, sub-system, asset, or process.
Remote Access Trojan (RAT)
Remote Access Trojans (RATs) use the victim’s access permissions and infect computers to give cyberattackers unlimited access to the data on the PC.
Cybercriminals can use RATs to exfiltrate confidential information. RATs include backdoors into the computer system and can enlist the PC into a botnet while also spreading to other devices. Current RATs can bypass strong authentication and access sensitive applications, which are later used to exfiltrate information to cyber criminal-controlled servers and websites.
A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges, and conceal the activities conducted by the tools.
A cryptographic key that is used for both encryption and decryption, enabling the operation of an asymmetric key cryptography scheme.
The use of information technology in place of manual processes for cyber incident response and management.
Security Information and Event Management (SIEM)
Software used to monitor, log, provide alerts and analyse security events to support threat detection and incident response. Examples of these are Microsoft Azure Sentinel & IBM QRadar
The collection of data from a range of security systems and the correlation and analysis of this information with threat intelligence to identify signs of compromise.
Security Operations Center (SOC)
A central unit within an organisation that is responsible for monitoring, assessing and defending security issues.
A well-defined boundary within which security controls are enforced.
A rule or set of rules that govern the acceptable use of an organisation’s information and services to a level of acceptable risk and the means for protecting the organisation’s information assets.
Single Sign-On (SSO)
A software process enables computer users to access more than one application using a single set of credentials, such as a username and password.
Phishing via SMS: mass text messages sent to users asking for sensitive information (e.g. bank details) or encouraging them to visit a fake website.
Methods of manipulating people into carrying out specific actions or divulging information that is of use to an attacker. Manipulation tactics include lies, psychological tricks, bribes, extortion, impersonation and other types of threats. Social engineering is often used to extract data and gain unauthorised access to information systems, either of single, private users or organisations.
Software as a service (SaaS)
Describes a business model where users access centrally hosted software applications over the internet; an example of this would be dropbox.
Software programs, computer programs, or computer software are programs or routines for a computer system that allows for a specific type of computer operation. The term software program is also often used interchangeably with terms like software application and software product.
The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.
Spear phishing is a cyber attack that aims to extract sensitive data from a victim using a particular and personalised message designed to look like it’s from a person the recipient knows and/or trusts.
This message is usually sent to individuals or companies, and it is incredibly effective because it’s very well planned. Attackers invest time and resources in gathering information about the victim (interests, activities, personal history, etc.) to create the spear-phishing message (usually an email). Spear phishing uses the sense of urgency and familiarity (appears to come from someone you know) to manipulate the victim, so the target doesn’t have time to double-check the information.
Faking the sending address of an email or message to gain unauthorised entry into a secure system.
Spyware is a type of malware designed to collect and steal the victim’s sensitive information without the victim’s knowledge. Trojans, adware and system monitors are different types of spyware. Spyware monitors and stores the victim’s Internet activity (keystrokes, browser history, etc.) and can also harvest usernames, passwords, financial information and more. It can also send this confidential data to servers operated by cybercriminals to be used in consequent cyber attacks.
SQL Injection is a tactic that uses code injection to attack data-driven applications. The maliciously injected SQL code can perform several actions, including dumping all the data in a database in a location controlled by the attacker. Malicious hackers can spoof identities through this attack, modify data or tamper with it, disclose confidential data, delete and destroy the data, or make it unavailable. They can also take control of the database completely.
SSL / Secure Sockets Layer
SSL is a method of encryption to ensure the safety of the data sent and received from a user to a specific website and back. Encrypting this data transfer ensures that no one can snoop on the transmission and access confidential information, such as card details, in online shopping. Legitimate websites use SSL (start with HTTPS). Users should avoid inputting their data in websites that don’t use SSL.
A way of encrypting data, hiding it within text or images, often for malicious intent.
A cryptographic key is used to perform both the cryptographic operation and its inverse, such as encrypting plain text and decrypt ciphertext or creating a message authentication code and verifying the code.
The detailed evaluation of the characteristics of individual threats.
The product or process of identifying or evaluating entities, actions, or occurrences, whether natural or artificial that have or indicate the potential to harm life, information, operations, and/or property.
There is no silver bullet to prevent 100% of cyber threats. Successful threat management requires a multi-layered approach encompassing prevention, detection, response and recovery.
During this process, security audits and other information in this category are gathered, analysed and reviewed to see if certain events in the information system could endanger the system’s security. Threat monitoring is a continuous process.
In access control, a ticket is data that authenticates a client’s identity or service and, together with a temporary encryption key (a session key), forms a credential.
In security, a token is a physical, electronic device used to validate a user’s identity. Tokens are usually part of the two-factor or multi-factor authentication mechanisms. Tokens can also replace passwords in some cases and can be found in the form of a key fob, a USB, an ID card or a smart card.
Traffic light protocol
A set of designations employing four colours (RED, AMBER, GREEN, and WHITE) is used to ensure that sensitive information is shared with the correct audience.
A computer program appears to have a practical function. It has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorisations of a system entity that invokes the program.
Two-factor authentication (2FA)
The use of two different components to verify a user’s claimed identity. Also known as multi-factor authentication.
Typhoid adware is a cybersecurity threat that employs a Man-in-the-middle attack to inject advertising into web pages a user visits while using a public network, like a public, non-encrypted WiFi hotspot. In this case, the computer being used doesn’t need to have adware, so installing an antivirus won’t fix the threat. While the ads themselves can be non-malicious, they could expose the site’s users to further threats. For example, the ads could promote a fake antivirus that has malware installed or a phishing attack.
Unauthorised access is when someone can access a website, program, server, service, or other system using someone else’s account or other methods. For example, if someone kept guessing a password or username for an account that was not theirs until they gained access, it is considered unauthorised access.
Unauthorised access could also be when a user attempts to access an area of a system they do not have permission to be accessing.
A URL (or link) injection is when a cybercriminal creates new pages on a website owned by someone else that contain spam words or links. Sometimes, these pages also have malicious code that redirects your users to other web pages or makes the website’s web server contribute to a DDoS attack. URL injection usually happens because of vulnerabilities in server directories or software used to operate the website, such as outdated WordPress or plugins.
Virtual Private Network (VPN)
A virtual private network (VPN) is a service that creates a private, via encryption, online connection. Internet users may use a virtual private network to give themselves more privacy and anonymity online or circumvent geographic-based blocking and censorship. Virtual private networks essentially extend a private network across a public network, allowing a user to securely send and receive data across the internet and prevent data theft.
Programs that can replicate themselves and are designed to infect legitimate software programs or systems. A form of malware.
A weakness, or flaw, in software, a system or a process. An attacker may try to exploit a vulnerability to get unauthorised access to a system.
A wabbit is one of four main classes of malware, among viruses, worms and Trojan horses. It’s a form of a computer program that repeatedly replicates on the local system. Wabbits can be programmed to have malicious side effects. A fork bomb is an example of a wabbit: a DoS attack against a computer that uses the fork function. A fork bomb quickly creates a large number of processes, eventually crashing the system. Wabbits don’t attempt to spread to other computers across networks.
Water-holing (watering hole attack)
Setting up a fake website (or compromising a real one) to exploit visiting users.
A watering hole is the name of a computer attack strategy detected as early as 2009 and 2010.
The victim is a particular, very targeted group, such as a company, organisation, agency, industry, etc. The attacker spends time gaining strategic information about the target: for example, observing which group members often visit legitimate websites. Then the attacker exploits a vulnerability and infects one of those trusted websites with malware without the knowledge of the site’s owner.
Eventually, someone from that organisation will fall into the trap, and their computer will be infected, giving the attacker access to the target’s entire network. These attacks work because of the constant vulnerabilities in website technologies, even with the most popular systems, such as WordPress, making it easier than ever to compromise websites without being noticed.
Highly targeted phishing attacks (masquerading as legitimate emails) that are aimed at senior executives.
A group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of information systems.
A list of entities that are considered trustworthy and are granted access or privileges.
A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
Recently discovered vulnerabilities (or bugs) are unknown to vendors or antivirus companies that hackers can exploit.
A zombie computer is connected to the internet that, in appearance, is usually performing but can be controlled by a hacker with remote access to it who sends commands through an open port. Zombies are mainly used to perform malicious tasks, such as spreading spam or other infected data to other computers or launching DoS (Denial of Service) attacks. The owner is unaware of it.
*I’ve compiled this from notes that I’ve taken over the last few years. It is not my intention to plagiarise anyone else’s work. However, I cannot guarantee that the notes are not direct copies of other definitions. If you find one or more similar to someone else’s work, please let me know, and I’ll update this page.