The constantly changing world of cybersecurity can leave you longing for an understanding of today's modern threats. A solid foundation of cybersecurity terminology is a great first step toward understanding the world of cyber threats and how to help minimize and mitigate risk for your organization. But with more acronyms added every year, it can be a daunting task to keep up. Thankfully, we're here to help.
We've created a master list of important cybersecurity terms, attack types, regulations, commonly asked questions, and even a few actionable steps that will help you learn about the basics of cybersecurity—and then some. Let's get started.
Cybersecurity 101: Key Definitions
What Is Cybersecurity?
Is there a better place to start? "Cybersecurity" is a set of techniques for protecting an organization’s digital infrastructure—including networks, systems, and applications—from being compromised by attackers and other threat actors. Cybersecurity combines technology, people, and processes to create strategies aimed at protecting sensitive data, ensuring business continuity, and safeguarding against financial losses.
What Are The Types of Cybersecurity Solutions?
Anti-virus is a type of IT security software that scans for, detects, blocks and eliminates malware. AV programs will typically run in the background, scanning for known malware signatures and behavior patterns that may indicate the presence of malware.
Endpoint detection and response is a category of tools and solutions that focus on detecting, investigating and mitigating suspicious activity on endpoints and hosts. The value of EDR is in its ability to detect advanced threats that may not have a known behavioral pattern or malware signature. EDR can also trigger an adaptive response based on the nature of detected threats.
Managed detection and response is a component of SOC-as-a-service that offers comprehensive solutions for continuous monitoring, threat detection, and incident response by a third-party vendor. It's a holistic, turnkey solution for real-time, advanced threat management that helps in-house IT teams prioritize incidents and improve their organization’s security posture.
Managed Risk continuously scans your networks, endpoints, and cloud environments for risky software, assets, misconfigurations, and accounts beyond simple vulnerability management solutions. It is delivered as a concierge service; it helps to take a more proactive approach to security by identifying gaps to harden the security posture over time.
A network operations center is a central location from where network administrators manage and control one or more networks and a primary server across geo- graphically distributed sites. NOC engineers deal with DDoS attacks, power outages, network failures and routing black holes. A NOC is not a security solution. A customer with a NOC, or NOC services, is not protected from advanced cyberthreats.
SIEM stands for security information and event management. SIEM is an integrated tool that collects and aggregates security events and alerts from different security products. The SIEM software analyzes and correlates those events to identify potential threats inside an organization’s environment.
A security operations center is the combination of cybersecurity personnel, threat detection and incident response processes, and supporting security technologies that make up an organization’s security operations. Larger enterprises typically build and manage a SOC in-house. Organizations of every size may choose to outsource their SOC to a SOC-as-a-service provider.
Vulnerability assessment is the process of identifying, classifying, and prioritizing vulnerabilities in business systems. Assessments can focus on internal, external, or host-based vulnerabilities. It has a specific start and end date.
Vulnerability management solutions identify, track, and prioritize internal and external cybersecurity vulnerabilities, optimizing cyberattack prevention activities such as patching, upgrades, and configuration fixes.
XDR or Extended Detection and Response is a broad term use to describe platforms that extend the endpoint focus of the traditional EDR tools to include a wider set of security telemetry and event data. Depending upon the platform this may include telemetry from Cloud, Network, Endpoint, and Identity resources.
A vendor neutral approach to an Extended Detection and Response platform that avoids the common concern of vendor lock-in associated with point product XDR solutions. An Open XDR platform allows for the collection of security telemetry from existing security tools for alert correlation, noise reduction, and increased response speeds.
What are the Different Types of Cyberattacks?
A brute-force attack is an attempt by a malicious actor to gain unauthorized access to secure systems by trying all possible passwords and guessing the correct one. In order for organizations to enhance their security posture, it's vital for them to be able to track and detect login attempt, failures, and brute-force attacks.
In this variant of phishing attacks, the attacker attempts to trick users into authorizing a malicious app or integration. Once the malicious app is authorized, it can be used to compromise accounts, exfiltrate data, or exploit further attack vectors.
This attacks exploits existing databases of compromised username and password combinations. Attackers attempt to login to a target account using these previously-breached passwords.
Cross-site scripting (XSS) is an attack that injects malicious scripts into a legitimate and trusted website. XSS attacks exploit vulnerabilities in web applications. The malicious code executes when an unsuspecting end-user visits the website and then may access sensitive data and session information gathered by the browser. Attackers also use XSS to plant trojans, keyloggers, and other malware.
A data breach refers to any event where unauthorized users steal sensitive information from a company. Often this information is personally identifiable information (PII) or financial information for resale.
A distributed denial-of-service attack seeks to crash a web server or an online service by flooding it with more traffic than it can handle. The attack is executed in stages that include installing command-and-control (C2) software on victim devices and creating botnets that are programmed to target the online server or service.
DNS hijacking, also known as DNS redirection and DNS poisoning, redirects queries to a Domain Name System (DNS), typically to a malicious website that contains malware or advertising or other unwanted content. DNS is the equivalent of a series of internet phone books, and DNS hijacking essentially forces the browser to go to the wrong location.
In a drive-by attack, the user doesn't have to download malware, click on a malicious link, or take some other action. Instead, malicious code is downloaded automatically to the user's device, typically when the user visits a compromised website.
An exploit is a malicious application or script that takes advantage of a vulnerability in endpoints and other hardware, networks, or applications. Attackers typically use exploits to take control of a system or device, to steal data, or to escalate access privileges. Exploits are often used as a component of a multi-layered attack.
Golden Ticket Attack
A Golden Ticket Attack occurs when an attacker has gained control over a Domain’s Key Distribution Service (KDS), which is designed to grant user requests to access network resources. Once an attacker has gained this control they are able to produce unauthorized “Golden Tickets” granting the attacker access to resources within the domain.
Malware is malicious software that spreads via an email attachment or a link to a malicious website. It infects the endpoints when a user opens the attachment or clicks on the link. There are many different types of malware attacks, which include adware, fileless malware, viruses, worms, trojans, spyware, and ransomware. Speaking of which...
Ransomware is a type of malicious software (malware) that prevents the end user from accessing a system or data. The most common form is crypto ransomware, which makes data or files unreadable through encryption, and requires a decryption key to restore access. Another form, locker ransomware, locks access rather than encrypting files. Attackers typically request a payment, often in the form of bitcoins, to decrypt files or restore access.
Ransomware-as-a-service is a subscription-based attack method used by threat actors to reduce the entry barrier for ransomware activities Novice attackers can leverage a cloud-based ransomware service to facilitate their attacks in return for a percentage of the ransom paid. This removes the need for attackers to develop their own ransomware and payment process.
What Happens During a Ransomware Attack?
During a ransomware campaign, attackers often use phishing and social engineering to get a computer user to click on an attachment or a link to a malicious website. Some types of ransomware attacks, however, don’t require user action because they exploit website or computer vulnerabilities to deliver the payload. Once it infects your computer you know you’re a victim because the attack will launch an on-screen notification with the ransom demand.
Supply Chain Attack
A supply chain attack occurs when a threat actor is able to attack a target by means of compromising a third-party resource. In many circumstances, the compromised vendor is not the final target but is instead used as the method to exploit or gain access to the intended victim. In some situations a supply chain attack might include numerous additional victims who were not necessarily the final intended target.
Phishing is a malicious email that tricks users to surrender their user credentials. The email may appear legitimate, as if coming from your bank, and ask you to reset your password. In a spearphishing attack, an individually-crafted email targets a key executive or decision maker.
Security misconfigurations result from the failure to properly implement security controls on devices, networks, cloud applications, firewalls, and other systems, and can lead to data breaches, unauthorized access, and other security incidents. Misconfigurations can include anything from default admin credentials, open ports, and unpatched software, to unused web pages and unprotected files.
An SQL injection is a technique that inserts structured query language (SQL) code into a web application database. Web applications use SQL to communicate with their databases, and a SQL injection relies on a user to input information, such as login credentials. Attackers can use SQL injections to perform actions such as retrieval or manipulation of the database data, spoofing user identity, and executing remote commands.
A Trojan horse is typically a legitimate-looking but malicious code or application that can be used for a variety of nefarious actions, including to steal, delete, or modify data—and disrupt computers or a network. Trojans have different categories, such as exploits, backdoors, and rootkits.
A web shell is an attack technique in which a threat actor is able to upload a malicious web-based shell-like interface to a web server for the purposes of executing desired commands. Often a web shell makes use of a vulnerability within the target and allows the threat actor to obtain a command line interface for command execution.
Social Engineering Terms and Attack Types
Smishing uses the medium of texting individuals to trick people into following links and/or downloading apps that can be especially dangerous.
Vishing uses lies and deception over phone calls to trick people into believing the scam the caller has set up or into believing they have properly identified the caller. With the assumption that they have properly identified the caller, they then may take action or divulge protected information.
Whaling is the practice of targeting high-level executives or extremely wealthy individual. Compromising a ‘whale’ allows the bad guys to go after two streams of nefarious activity. Firstly, to initiate direct actions while impersonating the compromised executive, and secondly to convince others to initiate actions on behalf of the executive they have compromised.
In-Person Social Engineering Attacks
Juice Jacking/Free Wifi
Sometimes an easy way to for social engineers to lure unsuspecting people into exposing their devices to all sorts of mayhem. Juice Jacking is the use of a ‘free’ charging station for your phone, tablet or laptop, and once you connect, then the evil commences as a the bad guy now secretly has physical access to your device because they tricked you into plugging your device in, but exploiting our fear of depleting battery power. Free Wifi can work in the same way of drawing people into voluntarily connecting their device to dangerous exposure.
These exploits work exceptionally well because they don’t require the social engineer to be talented at lying or convincing. They just have to lay out their chargers or wifi access in places where people won’t be suspicious.
Tailgating is the act of a non-approved person slipping through a door just behind an approved person. Typically, either someone grabs a closing door just before it shuts or an employee thinks they’re being nice by holding the door. Tailgating is an issue because it gives strangers unwarranted physical access to sensitive areas and it can also violate certain compliance regulations that require evidence (swipe trail) of anyone who may have access to various physical areas.
Shoulder surfing can sometimes be a subtle way for social engineers to get access to sensitive and important data without having to hack anything or trick anyone. They just have to be a little stealthy as they try to make it unnoticed that they are looking over your shoulder while you work. This is pretty easy on a flight, or in a coffee shop, where you may not have a lot of suspicion when a stranger is seated next to you.
Insider threats are a growing problem because the bad guys have monetized, incentivized, and corporatized the ability for a disgruntled employee to leak data and or expose vulnerabilities by going as far as having published price lists on easily accessible websites. This makes it much easier for someone to be tempted to get a payday for their disloyalty to the company they work for.
This is probably the least glamorous devious action a bad guy may try to uncover sensitive information to use in their exploits. However, just because dumpster is in the name, doesn’t always mean they will physically hop into a dumpster. The recycling bin that hangs out by an office printer collects a whole lot of unclaimed copies that could contain valuable information in the wrong hands. Anytime something is thrown out without being properly shredded or disposed of, it risks being exposed.
And just because there are some cleaner ways to get info from discarded materials or machines, still don’t put it past a bad guy to actually hop right into a smelly dumpster to get their hands on some prized info.
Managed Vulnerability Terms
Assets can be people, property, or information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include information, data, trademark, copyright, patent, reputation, and proprietary information. Tangible assets include physical items such as hardware, software, firmware, computing platform, network device, or other technology components.
The Common Vulnerability Scoring System (CVSS)
CVSS is a framework for communicating the characteristics and severity of software vulnerabilities. It includes three types: base, temporal, and environmental. The CVSS provides a standardized approach to vulnerability severity scores.
False positives occur when a scanner, Web Application Firewall (WAF), or Intrusion Prevention System (IPS) flags a security vulnerability that you do not have. A false negative is the opposite of a false positive, telling you that you don’t have a vulnerability when, in fact, you do. A false positive is like a false alarm; your house alarm goes off, but there is no burglar.
Mitigation means to reduce the likelihood and/or impact of a vulnerability being exploited. This is sometimes necessary when a proper fix or patch isn’t yet available for an identified vulnerability. This option should ideally be used to buy time for an organization to eventually remediate vulnerability.
Remediation is to fully fix or patch a vulnerability so it can’t be exploited. This is the ideal treatment option that organizations strive for.
Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event. It is typically a function of the adverse impacts that would arise if the circumstance or event occurs and the likelihood of occurrence.
Risk acceptance means to take no action to fix or otherwise reduce the likelihood/impact of a vulnerability being exploited. This is typically justified when a vulnerability is deemed a low risk, and the cost of fixing the vulnerability is substantially greater than the cost incurred by an organization if the vulnerability were to be exploited.
Threats are circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
What Are Some of the Different Kinds of Cybersecurity Compliance Regulations?
The California Consumer Privacy Act applies to all businesses selling products and services to Californians, regardless of the business' physical location or presence in the state. CCPA enables consumers to request information about what data the business collects about them and for what purposes. Businesses that don't meet certain minimum thresholds are exempt.
The Cybersecurity Maturity Model Certification is a unifying standard for cybersecurity across Department of Defense contractors. It provides five levels of security and certification. Meeting and certifying the correct CMMC level is increasingly necessary to bid on DoD contracts and do business with the department.
The Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR). DFARS is administered by the Department of Defense (DoD), and applies to DoD contractors that process, store, or transmit unclassified, nonpublic information.
Federal Risk and Authorization Management Program standardizes security assessment and authorization for cloud products and services used by U.S. federal agencies.
The Federal Financial Institutions Examination Council is an intra-agency federal body that sets uniform standards for regulated financial institutions. It provides a Cybersecurity Assessment Tool to help institutions identify their risk and track their cybersecurity preparedness.
Learn more about the FFIEC Assessment.
The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of individuals’ personal information within the European Union (EU). Organizations must comply regardless of their physical location or presence in the EU if they process or store data of EU subjects.
Gramm-Leach Bliley Act
The Gramm-Leach Bliley Act (GLBA) requires financial institutions and other entities that provide financial products—including loans, insurance, and investment advice—to safeguard sensitive data and to explain their information-sharing practices to customers.
The Health Insurance Portability and Accountability Act protects the privacy of patient health records. Title II, in particular, governs the secure storage, processing, transfer and access of electronic protected health information (ePHI). HIPAA imposes compliance requirements on health- care providers and related companies. Arctic Wolf helps customers meet HIPAA compliance goals.
The National Institute of Standards and Technology is a non-regulatory entity under the umbrella of the United States Department of Commerce. NIST Publication Series 800 provides a comprehensive listing of information security measures and controls based on extensive research. Arctic Wolf delivers prevention, detection, and response functions as defined by NIST.
The Payment Card Industry Data Security Standard (PCI-DSS) was developed to protect credit, debit and cash card transactions and prevent misuse of cardholders’ personal information by any companies/ merchants that electronically handle cardholder data. PCI imposes compliance requirements on any company that processes customer payments. Arctic Wolf helps customers meet PCI compliance goals.
Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act (SOX) are expanded regulatory requirements governing all U.S. public companies, foreign companies with securities registered with the Securities and Exchange Commission, and public accounting firms. The primary goal of SOX is to prevent fraudulent financial reporting and to protect investors.
What Are Managed Security Services?
Managed security is a service or solution provided by an outside vendor, typically as a subscription model, to manage and oversee a specific security aspect. Organizations typically use managed security services either to completely outsource their security functions or to scale their needs to complement their in-house capabilities.
What Is an MSSP?
A managed security service provider (MSSP) is a vendor that manages and monitors an organization’s security 24×7. MSSP services may include, among others, deployment of security infrastructure, monitoring endpoints, and managing network security.
What is SOC-as-a-Service?
SOC-as-a-service is a subscription-based, outsourced alternative to an in-house security operations center (SOC). A SOC-as-a-service vendor offers a comprehensive set of solutions, such as managed detection and response, and provide organizations with a dedicated team of experts who are available around the clock to detect, monitor, and respond to incidents. SOC-as-a-service combines people, processes, and technology to deliver cost-effective cybersecurity and help organizations maintain compliance.
Additional Cybersecurity Terms to Know
API (Application programming interfaces) is a computing interface that defines and standardizes interactions between two pieces of software. APIs are an invaluable source of data for security operations, especially when collecting information from security tools or cloud platforms.
An Advanced Persistent Threat, or ATP, is an advanced threat actor who is commonly a nation state or state-sponsored in origin. In most cases these groups are highly skilled and driven by political or economic motives. As compared to less sophisticated threat actors, an ATP will generally work in a slower, more methodical fashion in an attempt to remain undetected while integrating themselves deeper into their target’s environment.
CASB (Cloud Access Security Broker) is software that sits between cloud services and cloud users, monitoring activity and enforcing security policies.
CSPM (or SSPM)
Cloud Security Posture Management (or Software as a service Security Posture Management) is the practice of continuously benchmarking and managing cloud or SaaS instances, identifying misconfigurations and other vulnerabilities, and prioritizing and remediating these cloud risks. It can be facilitated by CSPM tools or delivered as a service by CSPM solutions.
The Darkweb includes internet resources such as websites and social networks that are not indexed or accessible through most search engines. Since much of the darkweb is hidden from the public it hosts a large amount of criminal or illicit activity. In many cases, accessing the dark web requires the use of specific browsers and protocols making it difficult to track and control.
Deception Technology is a form of active threat detection based on the utilization of lures within an environment meant to draw out attackers. Alerts generated from deception methods are considered high fidelity since they should only be triggered by threat actors.
Identity and Access Management is the practice of ensuring that only the correct individuals have access to an organization's resources—and at the right times, for the right reasons.
MFA/2FA (Multi-factor authentication/two-factor authentication) are security tools that require users to provide multiple pieces of evidence to a computer system before accessing services or an account, such as a password and a code sent to another device. MFA defends against attacks that exploit password vulnerabilities and is rapidly becoming a universal security standard in business technology.
User and Entity Behavior Analytics is a form of machine learning and behavioral analysis designed for threat detection. UEBA models are built to generate an organizations baseline of normal behaviors. Any deviations from this baseline may indicate threats and will generate alerts. In this way, UEBA is capable of quickly identifying potentially malicious user activity.
What Are the Necessary Steps to Protect Against Cyber Threats?
You cannot protect what you don't know you have—the first step in protecting against threats is to identify the vulnerabilities in your environment. A risk assessment helps you identify and manage vulnerabilities. Once you perform a vulnerability scan, you can prioritize mitigation steps based on the top risks. Since your environment continuously changes—and therefore so do your risks—identifying vulnerabilities should be a continuous, ongoing process.
To protect your IT infrastructure against threats, you need multi-layered defenses across your perimeter, as well as anywhere your data resides or is accessed. This includes your cloud applications and workloads, BYOD devices, and any place where users may access your network and sensitive resources.
Threats will slip through, as no protection is fool proof, no matter how many layers you have. Detection helps you find the threats that got past your defenses, whether that's never-before-seen malware, or an attacker using stolen credentials. You should monitor your environment 24x7, and detection can't rely on technology alone. You need skilled security analysts who can make the type of decisions that require human intelligence.
The quicker you respond, the better your chances to limit the "blast radius"—that is, the damage an attack can inflict on your organization—and prevent data exfiltration. In addition to analysts to monitor alerts, your security team needs responders who can quickly make decisions to minimize an incident. Automating some of the response actions will also speed up the remediation cycle.
Recovery is the final step after an incident, and recovery preparedness includes more than simply ensuring data backup. After an attack, you need to both quickly restore affected systems and operations, as well as ensure that the threat is eradicated. It's also highly recommended to include data recovery processes and procedures into your disaster recovery plan.