The world of cybersecurity constantly changes, so ongoing education is the key to understanding today’s new threats. But where do you even begin? It all starts with a firm grasp of terminology. However, knowing all of the different terms can feel overwhelming. But don't worry. We got you.
Here are a variety of important cybersecurity terms, attack types, regulations, commonly asked questions, and even a few actionable steps that will help you learn about the basics of cybersecurity.
Cybersecurity 101: Definitions to Know
What Is Cybersecurity?
Is there a better place to start? "Cybersecurity" is a set of techniques for protecting an organization’s digital infrastructure—including networks, systems, and applications—from being compromised by attackers and other threat actors. Cybersecurity combines technology, people, and processes to create strategies aimed at protecting sensitive data, ensuring business continuity, and safeguarding against financial losses.
What Are The Types of Cybersecurity Solutions?
Anti-virus is a type of IT security software that scans for, detects, blocks and eliminates malware. AV programs will typically run in the background, scanning for known malware signatures and behavior patterns that may indicate the presence of malware.
Endpoint detection and response is a category of tools and solutions that focus on detecting, investigating and mitigating suspicious activity on endpoints and hosts. The value of EDR is in its ability to detect advanced threats that may not have a known behavioral pattern or malware signature. EDR can also trigger an adaptive response based on the nature of detected threats. Arctic Wolf’s security offerings complement EDR solutions to provide a higher level of overall security.
Managed detection and response is a component of SOC-as-a-service that offers comprehensive solutions for continuous monitoring, threat detection, and incident response by a third-party vendor. It's a holistic, turnkey solution for real-time, advanced threat management that helps in-house IT teams prioritize incidents and improve their organization’s security posture.
A network operations center is a central location from where network administrators manage and control one or more networks and a primary server across geo- graphically distributed sites. NOC engineers deal with DDoS attacks, power outages, network failures and routing black holes. A NOC is not a security solution. A customer with a NOC, or NOC services, is not protected from advanced cyberthreats.
A security operations center is the combination of cybersecurity personnel, threat detection and incident response processes, and supporting security technologies that make up an organization’s security operations. Larger enterprises typically build and manage a SOC in-house. Organizations of every size may choose to outsource their SOC to a SOC-as-a-service provider.
SIEM stands for security information and event management. SIEM is an integrated tool that collects and aggregates security events and alerts from different security products. The SIEM software analyzes and correlates those events to identify potential threats inside an organization’s environment.
Vulnerability management solutions identify, track, and prioritize internal and external cybersecurity vulnerabilities, optimizing cyberattack prevention activities such as patching, upgrades, and configuration fixes.
Vulnerability assessment is the process of identifying, classifying, and prioritizing vulnerabilities in business systems. Assessments can focus on internal, external, or host-based vulnerabilities.
What are the Different Types of Cyberattacks?
A brute-force attack is an attempt by a malicious actor to gain unauthorized access to secure systems by trying all possible passwords and guessing the correct one. In order for organizations to enhance their security posture, it's vital for them to be able to track and detect login attempt, failures, and brute-force attacks.
In this variant of phishing attacks, the attacker attempts to trick users into authorizing a malicious app or integration. Once the malicious app is authorized, it can be used to compromise accounts, exfiltrate data, or exploit further attack vectors.
This attacks exploits existing databases of compromised username and password combinations. Attackers attempt to login to a target account using these previously-breached passwords.
Cross-site scripting (XSS) is an attack that injects malicious scripts into a legitimate and trusted website. XSS attacks exploit vulnerabilities in web applications. The malicious code executes when an unsuspecting end-user visits the website and then may access sensitive data and session information gathered by the browser. Attackers also use XSS to plant trojans, keyloggers, and other malware.
A data breach refers to any event where unauthorized users steal sensitive information from a company. Often this information is personally identifiable information (PII) or financial information for resale.
A distributed denial-of-service attack seeks to crash a web server or an online service by flooding it with more traffic than it can handle. The attack is executed in stages that include installing command-and-control (C2) software on victim devices and creating botnets that are programmed to target the online server or service.
DNS hijacking, also known as DNS redirection and DNS poisoning, redirects queries to a Domain Name System (DNS), typically to a malicious website that contains malware or advertising or other unwanted content. DNS is the equivalent of a series of internet phone books, and DNS hijacking essentially forces the browser to go to the wrong location.
In a drive-by attack, the user doesn't have to download malware, click on a malicious link, or take some other action. Instead, malicious code is downloaded automatically to the user's device, typically when the user visits a compromised website.
An exploit is a malicious application or script that takes advantage of a vulnerability in endpoints and other hardware, networks, or applications. Attackers typically use exploits to take control of a system or device, to steal data, or to escalate access privileges. Exploits are often used as a component of a multi-layered attack.
Golden Ticket Attack
A Golden Ticket Attack occurs when an attacker has gained control over a Domain’s Key Distribution Service (KDS), which is designed to grant user requests to access network resources. Once an attacker has gained this control they are able to produce unauthorized “Golden Tickets” granting the attacker access to resources within the domain.
Malware is malicious software that spreads via an email attachment or a link to a malicious website. It infects the endpoints when a user opens the attachment or clicks on the link. There are many different types of malware attacks, which include adware, fileless malware, viruses, worms, trojans, spyware, and ransomware. Speaking of which...
Ransomware is a type of malicious software (malware) that prevents the end user from accessing a system or data. The most common form is crypto ransomware, which makes data or files unreadable through encryption, and requires a decryption key to restore access. Another form, locker ransomware, locks access rather than encrypting files. Attackers typically request a payment, often in the form of bitcoins, to decrypt files or restore access.
Supply Chain Attack
A supply chain attack occurs when a threat actor is able to attack a target by means of compromising a third-party resource. In many circumstances, the compromised vendor is not the final target but is instead used as the method to exploit or gain access to the intended victim. In some situations a supply chain attack might include numerous additional victims who were not necessarily the final intended target.
A web shell is an attack technique in which a threat actor is able to upload a malicious web-based shell-like interface to a web server for the purposes of executing desired commands. Often a web shell makes use of a vulnerability within the target and allows the threat actor to obtain a command line interface for command execution.
What Happens During a Ransomware Attack?
During a ransomware campaign, attackers often use phishing and social engineering to get a computer user to click on an attachment or a link to a malicious website. Some types of ransomware attacks, however, don’t require user action because they exploit website or computer vulnerabilities to deliver the payload. Once it infects your computer you know you’re a victim because the attack will launch an on-screen notification with the ransom demand.
Phishing is a malicious email that tricks users to surrender their user credentials. The email may appear legitimate, as if coming from your bank, and ask you to reset your password. In a spearphishing attack, an individually-crafted email targets a key executive or decision maker. Arctic Wolf MDR can detect and warn you of phishing and spearphishing.
Security misconfigurations result from the failure to properly implement security controls on devices, networks, cloud applications, firewalls, and other systems, and can lead to data breaches, unauthorized access, and other security incidents. Misconfigurations can include anything from default admin credentials, open ports, and unpatched software, to unused web pages and unprotected files.
An SQL injection is a technique that inserts structured query language (SQL) code into a web application database. Web applications use SQL to communicate with their databases, and a SQL injection relies on a user to input information, such as login credentials. Attackers can use SQL injections to perform actions such as retrieval or manipulation of the database data, spoofing user identity, and executing remote commands.
A Trojan horse is typically a legitimate-looking but malicious code or application that can be used for a variety of nefarious actions, including to steal, delete, or modify data—and disrupt computers or a network. Trojans have different categories, such as exploits, backdoors, and rootkits.
What Are Some of the Different Kinds of Cybersecurity Compliance Regulations?
The California Consumer Privacy Act applies to all businesses selling products and services to Californians, regardless of the business' physical location or presence in the state. CCPA enables consumers to request information about what data the business collects about them and for what purposes. Businesses that don't meet certain minimum thresholds are exempt.
The Cybersecurity Maturity Model Certification is a unifying standard for cybersecurity across Department of Defense contractors. It provides five levels of security and certification. Meeting and certifying the correct CMMC level is increasingly necessary to bid on DoD contracts and do business with the department.
The Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR). DFARS is administered by the Department of Defense (DoD), and applies to DoD contractors that process, store, or transmit unclassified, nonpublic information.
The Federal Financial Institutions Examination Council is an intra-agency federal body that sets uniform standards for regulated financial institutions. It provides a Cybersecurity Assessment Tool to help institutions identify their risk and track their cybersecurity preparedness.
The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of individuals’ personal information within the European Union (EU). Organizations must comply regardless of their physical location or presence in the EU if they process or store data of EU subjects.
Gramm-Leach Bliley Act
The Gramm-Leach Bliley Act (GLBA) requires financial institutions and other entities that provide financial products—including loans, insurance, and investment advice—to safeguard sensitive data and to explain their information-sharing practices to customers.
The Health Insurance Portability and Accountability Act protects the privacy of patient health records. Title II, in particular, governs the secure storage, processing, transfer and access of electronic protected health information (ePHI). HIPAA imposes compliance requirements on health- care providers and related companies. Arctic Wolf helps customers meet HIPAA compliance goals.
The National Institute of Standards and Technology is a non-regulatory entity under the umbrella of the United States Department of Commerce. NIST Publication Series 800 provides a comprehensive listing of information security measures and controls based on extensive research. Arctic Wolf delivers prevention, detection, and response functions as defined by NIST.
The Payment Card Industry Data Security Standard (PCI-DSS) was developed to protect credit, debit and cash card transactions and prevent misuse of cardholders’ personal information by any companies/ merchants that electronically handle cardholder data. PCI imposes compliance requirements on any company that processes customer payments. Arctic Wolf helps customers meet PCI compliance goals.
Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act (SOX) are expanded regulatory requirements governing all U.S. public companies, foreign companies with securities registered with the Securities and Exchange Commission, and public accounting firms. The primary goal of SOX is to prevent fraudulent financial reporting and to protect investors.
What Are Managed Security Services?
Managed security is a service or solution provided by an outside vendor, typically as a subscription model, to manage and oversee a specific security aspect. Organizations typically use managed security services either to completely outsource their security functions or to scale their needs to complement their in-house capabilities.
What Is an MSSP?
A managed security service provider (MSSP) is a vendor that manages and monitors an organization’s security 24×7. MSSP services may include, among others, deployment of security infrastructure, monitoring endpoints, and managing network security.
What is SOC-as-a-Service?
SOC-as-a-service is a subscription-based, outsourced alternative to an in-house security operations center (SOC). A SOC-as-a-service vendor offers a comprehensive set of solutions, such as managed detection and response, and provide organizations with a dedicated team of experts who are available around the clock to detect, monitor, and respond to incidents. SOC-as-a-service combines people, processes, and technology to deliver cost-effective cybersecurity and help organizations maintain compliance.
Additional Cybersecurity Terms to Know
API (Application programming interfaces) is a computing interface that defines and standardizes interactions between two pieces of software. APIs are an invaluable source of data for security operations, especially when collecting information from security tools or cloud platforms.
An Advanced Persistent Threat, or ATP, is an advanced threat actor who is commonly a nation state or state-sponsored in origin. In most cases these groups are highly skilled and driven by political or economic motives. As compared to less sophisticated threat actors, an ATP will generally work in a slower, more methodical fashion in an attempt to remain undetected while integrating themselves deeper into their target’s environment.
CASB (Cloud Access Security Broker) is software that sits between cloud services and cloud users, monitoring activity and enforcing security policies.
CSPM (or SSPM)
Cloud Security Posture Management (or Software as a service Security Posture Management) is the practice of continuously benchmarking and managing cloud or SaaS instances, identifying misconfigurations and other vulnerabilities, and prioritizing and remediating these cloud risks. It can be facilitated by CSPM tools or delivered as a service by CSPM solutions.
The Darkweb includes internet resources such as websites and social networks that are not indexed or accessible through most search engines. Since much of the darkweb is hidden from the public it hosts a large amount of criminal or illicit activity. In many cases, accessing the dark web requires the use of specific browsers and protocols making it difficult to track and control.
Identity and Access Management is the practice of ensuring that only the correct individuals have access to an organization's resources—and at the right times, for the right reasons.
MFA/2FA (Multi-factor authentication/two-factor authentication) are security tools that require users to provide multiple pieces of evidence to a computer system before accessing services or an account, such as a password and a code sent to another device. MFA defends against attacks that exploit password vulnerabilities and is rapidly becoming a universal security standard in business technology.
What Are the Necessary Steps to Protect Against Cyber Threats?
You cannot protect what you don't know you have—the first step in protecting against threats is to identify the vulnerabilities in your environment. A risk assessment helps you identify and manage vulnerabilities. Once you perform a vulnerability scan, you can prioritize mitigation steps based on the top risks. Since your environment continuously changes—and therefore so do your risks—identifying vulnerabilities should be a continuous, ongoing process.
To protect your IT infrastructure against threats, you need multi-layered defenses across your perimeter, as well as anywhere your data resides or is accessed. This includes your cloud applications and workloads, BYOD devices, and any place where users may access your network and sensitive resources.
Threats will slip through, as no protection is fool proof, no matter how many layers you have. Detection helps you find the threats that got past your defenses, whether that's never-before-seen malware, or an attacker using stolen credentials. You should monitor your environment 24x7, and detection can't rely on technology alone. You need skilled security analysts who can make the type of decisions that require human intelligence.
The quicker you respond, the better your chances to limit the "blast radius"—that is, the damage an attack can inflict on your organization—and prevent data exfiltration. In addition to analysts to monitor alerts, your security team needs responders who can quickly make decisions to minimize an incident. Automating some of the response actions will also speed up the remediation cycle.
Recovery is the final step after an incident, and recovery preparedness includes more than simply ensuring data backup. After an attack, you need to both quickly restore affected systems and operations, as well as ensure that the threat is eradicated. It's also highly recommended to include data recovery processes and procedures into your disaster recovery plan.