Cybersecurity Terms

Malware, short for malicious software, is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, or deprive users access to their information.

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

Encryption is the process of converting information or data into a code, especially to prevent unauthorized access. It scrambles readable text so it can only be read by the person who has the secret code, or decryption key.

A Virtual Private Network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

Ransomware is a type of malware that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid. The most common form involves encrypting the victim's files and demanding a payment to receive the decryption key.

A computer virus is a type of malicious code or program written to alter the way a computer operates and that is designed to spread from one computer to another and has the ability to replicate itself.

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failings on the target computer to access it.

A Trojan horse, or Trojan, is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems.

Spyware is a type of malware that secretly observes the user's computer activities without permission and reports it to the software's author.

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It is a confidence trick for the purpose of information gathering, fraud, or system access.

A Distributed Denial-of-Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

A Man-in-the-Middle (MITM) attack is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

A zero-day vulnerability is a flaw in a computer software that is unknown to those who should be interested in mitigating it, including the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.

A penetration test, or pen test, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths.

In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system.

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.

Multi-factor authentication (MFA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.

Security Information and Event Management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

A Security Operations Center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. A SOC is a facility where enterprise information systems (web sites, applications, databases, data centers and servers, networks, desktops and other endpoints) are monitored, assessed, and defended.

An Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a SIEM system.

An Intrusion Prevention System (IPS) is a network security technology that examines network traffic flows to detect and prevent vulnerability exploits. It is an active system that can block malicious traffic in real-time.

SQL Injection (SQLi) is a type of injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures.

Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

The CIA Triad is a widely used model for guiding information security policies. It stands for Confidentiality, Integrity, and Availability. These three principles are considered the core goals of information security.

Confidentiality is a component of the CIA Triad that ensures information is not disclosed to unauthorized individuals, entities, or processes. It is about keeping data private and secret.

Integrity is a component of the CIA Triad that involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people.

Availability is a component of the CIA Triad. For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.

Zero Trust is a security model based on the principle of maintaining strict access controls and not trusting anyone or any device by default, even those already inside the network perimeter. The core philosophy is "never trust, always verify."

Endpoint security refers to the practice of securing endpoints or entry points of end-user devices such as desktops, laptops, and mobile devices from being exploited by malicious actors and campaigns.

Defense in depth is a cybersecurity strategy that employs multiple layers of security controls to protect an organization's assets. The idea is that if one layer fails, another layer is there to stop the attack.

The principle of least privilege (PoLP) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program) must be able to access only the information and resources that are necessary for its legitimate purpose.

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and prioritized – all from a hypothetical attacker's point of view.

Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

Patch management is the process of distributing and applying updates to software. These patches are often necessary to correct errors (also referred to as "vulnerabilities" or "bugs") in the software.

A botnet is a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g., to send spam or launch DDoS attacks.

Ethical hacking involves an authorized attempt to gain unauthorized access to a computer system, application, or data. Carrying out an ethical hack involves duplicating strategies and actions of malicious attackers.

Cryptography is the practice and study of techniques for secure communication in the presence of third parties called adversaries. It encompasses methods for encryption, decryption, hashing, and digital signatures.

Hashing is the process of transforming any given key or a string of characters into another value. This is usually a fixed-length string or number that represents the original string. A good hash function is one-way, meaning the original data cannot be retrieved from the hash.

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature gives a recipient very strong reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity).

Public Key Infrastructure (PKI) is the set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.

A TLS (or SSL) certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection. It is a data file hosted in a website's origin server that binds a cryptographic key to an organization’s details.

A Certificate Authority (CA) is a trusted entity that issues digital certificates. The CA acts as a trusted third party, trusted by both the subject (owner) of the certificate and the party relying upon the certificate.

Vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.

A backdoor in a computer system is any method for bypassing normal authentication or encryption. It is a hidden entry point that can be used to gain access to a system.

A data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

A cybersecurity analyst is a professional who protects an organization's computer systems and networks from cyber threats. They are responsible for monitoring network traffic, investigating security alerts, and responding to incidents.

Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.

Threat intelligence is information an organization uses to understand the threats that have, will, or are currently targeting the organization. This information is used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources.

Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) that strengthens access security by requiring two methods (also referred to as authentication factors) to verify your identity. These factors can include something you know (like a password), something you have (like a phone or hardware key), and something you are (like a fingerprint).

Single Sign-On (SSO) is an authentication scheme that allows a user to log in with a single set of credentials to multiple independent software systems. With SSO, a user logs in once and gains access to all systems without being prompted to log in again at each of them.

Identity and Access Management (IAM) is a framework of policies and technologies for ensuring that the proper people have the appropriate access to technology resources. It involves managing user identities and controlling what those identities are allowed to do.

A Web Application Firewall (WAF) is a specific type of firewall that helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site scripting (XSS), SQL injection, and path traversal.

Antivirus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more. It typically uses signature-based detection to identify known threats.

Spear phishing is a phishing attack that is targeted at a specific individual, organization, or business. Attackers conduct reconnaissance on the target to craft a more believable message that is tailored to the victim.

Whaling is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company. The content of a whaling email is often written as a senior-level business communication.

Cross-Site Request Forgery (CSRF or XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

A Denial-of-Service (DoS) attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. It is typically accomplished by flooding the targeted machine with superfluous requests.

A honeypot is a cybersecurity mechanism set up to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. A honeypot consists of data that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers.

A sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. It provides a tightly controlled set of resources for guest programs to run in, such as a scratch space on disk and memory.

A threat actor, or malicious actor, is a person or entity responsible for an event or incident that has an impact on the safety or security of another entity. They can be categorized by their motivations, resources, and skill levels.

An attack vector is a path or means by which a hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities.

An organization's attack surface is the sum of all of its internet-facing hardware, software, and services that are accessible from the public internet and could be vulnerable to attack. It is the combination of all potential attack vectors.

An Indicator of Compromise (IoC) is a piece of forensic data, such as a file hash, IP address, or domain name, that indicates that a security breach has occurred on a system or network. It is evidence of a potential intrusion.

Tactics, Techniques, and Procedures (TTPs) is a concept used in cybersecurity and threat intelligence to describe the behavior of a threat actor. Tactics are the high-level goals, techniques are the methods used to achieve those goals, and procedures are the specific implementations of those techniques.

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

A Red Team is a group of security professionals who act as adversaries to test an organization's security defenses. They emulate the TTPs of real-world attackers to conduct a realistic, multi-layered attack simulation.

A Blue Team is a group of security professionals who are responsible for defending an organization's information systems against attack. This includes the ongoing work of configuring security controls, monitoring for threats, and responding to incidents.

Non-repudiation is the assurance that someone cannot deny the validity of something. It provides proof of the origin, integrity, and delivery of data. It is the concept of ensuring that a party in a dispute cannot repudiate, or refute the validity of a statement or contract.

Data Loss Prevention (DLP) is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP software classifies regulated, confidential and business critical data and identifies violations of policies defined by organizations.

Role-Based Access Control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. In RBAC, access rights are grouped by role name, and permissions are granted to roles, not to individual users.

Security hardening is the process of securing a system by reducing its surface of vulnerability. It involves configuring a system to be as secure as possible by removing unnecessary software, changing default passwords, disabling unused services, and applying secure configurations.

This is a synonym for the Principle of Least Privilege (PoLP). It is a security principle that states a user or process should only be given the minimum levels of access – or permissions – needed to perform its job functions.

Data security refers to the practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle. It's a concept that encompasses every aspect of information security from the physical security of hardware and storage devices to administrative and access controls.

Network security is a broad term that covers a multitude of technologies, devices, and processes. In its simplest term, it is a set of rules and configurations designed to protect the integrity, confidentiality, and accessibility of computer networks and data using both software and hardware technologies.

In the context of data, privacy is the right of individuals to have control over how their personal information is collected, used, and shared. It is a concept that is both legal and ethical.

A brute-force attack is a trial-and-error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys. In a brute-force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

Credential stuffing is a type of cyberattack in which stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords, are used to gain unauthorized access to user accounts on other services. This is a type of brute-force attack.

In cybersecurity, the payload is the part of a piece of malware that performs the actual malicious action, such as encrypting files, stealing data, or deleting files. The rest of the malware is for delivery and concealment.

Adware is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. While some adware is harmless, it can also be a form of spyware that tracks user behavior without consent.

Log management is the collective process of handling log data, which involves generating, collecting, centralizing, parsing, storing, analyzing, and disposing of large volumes of log data generated by computer systems.

Input sanitization is the process of cleaning and filtering data that is provided by a user or another application to prevent it from causing harm to a system. This involves removing or modifying potentially malicious characters or code from the input.

A prepared statement, or parameterized query, is a feature used to execute the same or similar database statements repeatedly with high efficiency. The key security benefit is that it separates the SQL query structure from the data, making it immune to SQL injection.

STRIDE is a threat modeling methodology developed by Microsoft. It provides a mnemonic for developers and security professionals to use when identifying threats to a system. The acronym stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

A Secure Software Development Lifecycle (Secure SDLC) is a process that integrates security-focused activities and tools into every phase of the standard software development lifecycle. The goal is to build security into the software from the beginning, rather than trying to add it on at the end.

DevSecOps stands for development, security, and operations. It's an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle. It is an extension of the DevOps philosophy.

In cybersecurity, "shift left" refers to the practice of moving security testing, evaluation, and practices earlier in the software development lifecycle (SDLC) – that is, to the "left" on a typical project timeline diagram. The goal is to find and fix security flaws as early as possible.

Static Application Security Testing (SAST) is a white-box method of testing that analyzes an application's source code, byte code, or binary code for security vulnerabilities without executing the program.

Dynamic Application Security Testing (DAST) is a black-box testing method that examines an application as it is running to find vulnerabilities that an attacker could exploit. It tests the application from the outside-in, with no knowledge of the underlying source code.

A risk assessment is the process of identifying, analyzing, and evaluating risks. In cybersecurity, this involves identifying valuable assets, the threats to those assets, and the vulnerabilities that could be exploited by those threats. The goal is to determine the likelihood and impact of a potential security incident.

A synonym for the Principle of Least Privilege (PoLP). This security principle dictates that a user, process, or program should only have the minimum set of permissions (privileges) required to perform its specific, legitimate task, and no more.

A digital certificate is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the software examining the certificate trusts the signer, then it can use that key to communicate securely with the certificate's subject.

The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines, standards, and best practices to help organizations manage and reduce cybersecurity risk. Developed by the U.S. National Institute of Standards and Technology, it provides a high-level, strategic view of the lifecycle of cybersecurity risk management.