Cybersecurity Glossary

256-bit encryption refers to the key length used to encrypt and decrypt data. Encryption is the process of turning plaintext data into ciphertext, a garbled version of the original data. To turn the ciphertext back to human-readable data, you would need the 256-bit key.

256-bit encryption is considered the strongest level of encryption since it currently uses the longest encryption key. This method requires 14 rounds of multiple processes to encrypt data and the same number of rounds to decrypt it.

Imagine having to go through 14 bank vault doors to get to your target. If you know the code for each lock, then you can open all 14 doors. Otherwise, it could take you a long time to get through.

Access governance is part of security management. It is the process of governing “who” should have access to a system and “how” they can gain entry into “what” within a network. The concept is often confused with access management. In reality, however, it is a higher form of access management since policies and procedures support access control.

Access governance is put in place to help organizations limit security risks that may arise from users trying to gain unauthorized access to confidential data. There has been a growing need for access governance as most organizations aim to comply with regulations and seek to improve their security posture.

Suppose you are the head of a human resources team, and your job is to secure all employee documents. You are responsible for ensuring that these are kept away from prying eyes. This is what access governance means in simple terms.

An active attack is considered an assault on a network or system. In such an attack, the threat actor interferes with how a network or system works by changing the target data or introducing new data.

An active attack refers to all kinds of activities that occur when a person tries to “hack” into a server or computer. In contrast to passive attacks, wherein hackers do not make modifications but rather listen in or monitor activities, active attacks involve introducing unwanted changes. In some cases, hackers use the data they gathered from a passive attack to carry out an active attack. In a nutshell, an active attack refers to actual “hacking,” while a passive attack can be likened more to “spying.”

Active reconnaissance is a computer attack where hackers communicate with a target system to collect information. The process involves probing a network for weaknesses, such as open ports or other possible entry points that include vulnerable routers.

“Reconnaissance” is a military term used to refer to missions into enemy territory to gather relevant information before carrying out an attack. In computer security, active reconnaissance is often the first step attackers take to gain insights into how best to enter a target network.

Adaptive security is a model that continuously investigates threat events. This real-time monitoring method allows security officials to develop strategies that let them map out the threat landscape before attacks can occur.

The main goal of adaptive security is to develop a plan that allows cybersecurity personnel to visualize, detect, and prevent threats from penetrating their networks.

You can liken adaptive security to an automated closed-circuit television (CCTV) system. When an unusual incident is spotted, the system sounds an alarm to alert security personnel to a potential intrusion.

The administrative safeguard is one of the security rules set by the Health Insurance Portability and Accountability Act (HIPAA) that refers to standards that help prevent electronic protected health information (EPHI) from unauthorized access. The administrative safeguard is one of the three safeguards HIPAA requires covered entities to implement—physical and technical safeguards are the other two requisites.

There are nine administrative safeguard standards that HIPAA requires covered entities to implement. Examples of these administrative safeguards include:

• Establishing a security management process
• Assigning a security official
• Conducting security awareness training for employees
• Drawing up a contract for all third-party entities that have access to EPHI

Alert fatigue or alarm fatigue happens to cybersecurity experts that get exposed to vast numbers of frequent alerts or alarms, consequently desensitizing them to the warnings. It results in longer response times or missing important alerts or alarms.

Apart from cybersecurity, alert fatigue happens in other industries, too, such as construction, mining, and healthcare. As in the story of the boy who cried “Wolf!” false alerts or alarms can rob critical ones of the importance they deserve.

ASLR, short for “address space layout randomization,” is a computer security technique that helps prevent the exploitation of memory corruption vulnerabilities. How? Suppose an attacker wants to effectively jump to a specific exploitable function in memory. In that case, ASLR randomly arranges the address space positions of key data areas of a process to prevent the threat actor from doing so.

You can compare ASLR to rearranging the order of paintings in a gallery according to how likely they will get stolen. The technique would place the most expensive works of art in the most inaccessible place and move on down the line, placing the least likely to get stolen in the most accessible room.

ATM jackpotting is the process of manipulating an automated teller machine (ATM) to dispense cash. It can be done in two ways.

First, hackers can exploit an ATM software’s vulnerabilities to control it remotely. A money mule usually waits for the physical machine to dispense cash that he or she then sends to the mastermind.

Second, attackers exploit vulnerabilities in the ATM hardware to make it dispense cash. A mule or the mastermind can collect the money then physically.

An account takeover (ATO) attack occurs when cybercriminals gain unauthorized control over online accounts using stolen usernames and passwords. Bank, e-commerce shop, and other financial accounts are the typical ATO attack targets as these could present substantial monetary gains for the attackers. ATO attacks are thus considered a form of identity theft.

You can liken an ATO attack to a physical theft where the thieves get hold of your credit cards, ATM cards, and IDs. They can use the stolen credit cards and IDs to purchase goods online or empty your bank accounts before you can report them stolen.

A backdoor attack uses a specific type of malware so hackers can avoid normal authentication procedures to gain access to a target system. As a result, perpetrators can go through all resources such as file servers and databases to issue commands and change system settings without being discovered.

Hackers install backdoors to take control of vulnerable network components, allowing them to carry out targeted attacks. These attacks include website defacement, data theft, server hijacking, watering hole attacks, and distributed denial-of-service (DDoS) attacks, among others. 

Imagine this scenario. A burglar scouts your house for possible entry points. A check of the front door reveals a complicated security system with cameras to boot. A similar check of the back door, however, reveals a pet door that remains unlocked at night. That pet door can let the thief enter the target home without getting caught.

Banner grabbing is the process of obtaining a target company’s application names and versions, regardless of manner—manually or automatically by using an open-source tool—in preparation for an attack.

All connected systems and devices often expose confidential information that includes software names and operating systems (OSs), along with their versions, collectively known as “banner data.” Knowing these data points allows threat actors to find exploitable vulnerabilities in target networks.

Think of banner grabbing as sending a spy to work for a competitor so he or she can report the company’s weaknesses to his or her real employer.

Blagging is a slang term for getting someone else’s personal information without his/her consent. Here’s an example: A blagger obtains a copy of your name and picture from Facebook then uses those to create an account. The blagger can then pose as you and trick your contacts into, say, donating to a fake cause but keep the money for himself/herself. Another scenario would be getting your bank account details and withdrawing your money using that stolen information.

In cybersecurity, blagging would fall under the umbrella of social engineering. In that case, blagging would be akin to other forms of social engineering like phishing where cybercriminals get your online account credentials in ingenious ways. In effect, the blagger steals your identity and more.

A blended threat is a type of malware whose functionality combines those of various malware types, such as worms, Trojans, and backdoors, to breach and take over a target network effectively. Its infection chain is usually triggered by an event, such as a website visit. From there, a victim is redirected to a malicious site. Once on it, the victim is tricked into downloading the blended threat through a clever social engineering ploy. Downloading the file installs the malware on the victim’s computer, and the infection starts.

Blended threats were borne out of threat actors’ need to evade detection and remediation. Using a malware with a single capability prevents it from achieving its goal.

Blowfish encryption is a symmetric block cipher (a method that allows encrypting data in blocks) that can be used in place of Data Encryption Standard (DES) or International Data Encryption Algorithm (IDEA). It takes a key that varies in length from 32–448 bits. As such, it works for both domestic and exportable use.

Think of Blowfish as the passcode to your vault. You will need the Blowfish encryption algorithm to lock and unlock it.

Bluebugging is a hacking technique that allows individuals to access a device with a discoverable Bluetooth connection. Once the target device accesses a rigged link, the attacker can take full control of it. The hacker can read and send messages, access the victim’s phonebook, and initiate or eavesdrop on phone calls.

Initially, bluebugging focused on eavesdropping or bugging a computer with Bluetooth capability. With the increasing use of smartphones, cybercriminals shifted to hacking mobile phones. This attack is often limited due to the range of Bluetooth connections, which goes up to only 10 meters. Some attackers use booster antennas to widen their attack range.

It’s not much different from bugging a landline phone, except it can be done without gaining access to the physical device.

Bluejacking is a hacking method that lets a person send unsolicited messages (typically flirtatious but can also be malicious) to any Bluetooth-enabled device within his own device’s range. Also known as “bluehacking,” the process begins by scanning one’s surroundings for discoverable Bluetooth-capable devices.

Bluejacking is much like doorbell ditching, wherein a person rings someone’s doorbell and disappears before the homeowner can answer the door.

A bug bounty is an incentive organizations offer to individuals or security researchers to discover and report vulnerabilities in software, websites, or digital infrastructures. The goal? To identify and address security flaws before threat actors or hackers can exploit them.

Bug bounties serve as proactive approaches to security testing since they engage a community of skilled individuals to continuously test how secure a system is. They can be a cost-effective way for companies to identify and fix bugs and improve their overall security posture.

Camfecting refers to hacking into someone’s webcam and activating it without alerting its owner. Anything the camera can see, its operator (i.e., the hacker) can, too. It is usually done by infecting a victim’s computer with malware that lets the hacker access a connected webcam. The term is a combination of “cam,” short for “camera,” and “fecting” from “infecting.”

Cognitive hacking is a cyber attack where threat actors manipulate victims’ perceptions by exploiting their psychological weaknesses. Attackers primarily use disinformation in their campaigns to fuel people’s biases and prejudices.

Cognitive security refers to the cybersecurity practice that applies artificial intelligence (AI) and machine learning (ML) techniques and technologies. Therefore, cognitive security is patterned after the human thought process in making sense of complex situations.

Cognitive security solutions are developed based on the skills of human threat, fraud, and other cybersecurity analysts. Hence, they are used in threat and fraud detection and strengthening an enterprise's cybersecurity posture.

A command-and-control or C&C server is a device or machine under the control of a cybercriminal. An attacker uses a command-and-control server to maintain communications with and remotely control malware or malicious scripts within a target network.

A command-and-control server can also receive stolen data from compromised systems, including computers, mobile phones, and even Internet of Things (IoT) devices connected to an infected network. Some cyber attackers hide command-and-control servers in file-sharing services to evade detection and blocking.

A command-and-control server can be likened to the puppeteer who controls the puppets in a show. The puppets’ actions depend on the instructions issued by the command-and-control server.

A computer security incident response team or CSIRT (pronounced “see-sirt”), for short, is responsible for exposing and averting cyber attacks that target an enterprise. It focuses on responding to security incidents, hence the name.

Credential dumping is a cyber attack where a threat actor hacks into devices and steals their owners’ credentials from the random access memory (RAM). Also known as “password dumping,” the attacker steals and copies the data to a predetermined storage (typically a server). Once that’s done, the credentials are said to have been “dumped.”

You should know that each time someone logs in to an account on your device, his/her username-password combination gets stored in its RAM. An attacker can read that information since it is saved in plaintext. 

Credential dumping is a crucial step in phishing and other cyber attacks.

The Creeper virus is the first computer virus ever developed. Bob Thomas created it in 1971 as an experimental self-duplication program. His idea, however, was not to cause harm and damage but merely illustrate how a mobile application works.

Without planning to, the Creeper virus corrupted Digital Equipment Corporation’s PDP-10 mainframe computers operating on the TEN-Extended (TENEX) operating system (OS). It messed up connected teletype computer screens, causing them to display the message, “I’m the creeper, catch me if you can!”

While the Creeper virus did corrupt systems, it is not considered a piece of malware like most of today’s computer viruses. The only damage it did was to display a message, nothing more. It did not destroy or steal data, demand a ransom, or render the actual mainframe inoperable.

Cryptanalysis is a means to decrypt ciphertext, ciphers, and cryptosystems. It works by understanding how they work to find ways to crack them despite the lack of plaintext source, encryption key, or algorithm used to mask information.

Ciphertext refers to encrypted text transformed from plaintext using an encryption algorithm. You can’t read ciphertext until you convert it into plaintext or decrypt it with a key. A cipher, meanwhile, is an algorithm used to encrypt or decrypt data. It is a series of well-defined steps to follow to encrypt or decrypt plaintext. Finally, a cryptosystem is a suite of cryptographic algorithms used to secure or encrypt information. It typically uses three algorithms—one for key generation, another for encryption, and one more for decryption.

Cryptanalysis can, therefore, be likened to cracking a safe without the passcode and accompanying key, if any.

A crypto malware is a type of malware that allows threat actors to use someone else’s computer or server to mine for cryptocurrencies. It has become one of the most prominent malware types since 2017. Why?

Crypto malware’s rise in popularity probably has a lot to do with the fact that cryptomining is a resource-intensive process that jacks up a user’s electricity bill for one and uses up his or her computer’s processing power, disallowing other tasks to be performed at the same time. 

Cybersquatting is the act of registering or using a domain name to profit at the expense of someone else’s trademarked or copyrighted “brand” or “name.” It typically occurs when a malicious individual misspells a domain name to steal traffic intended for its legitimate counterpart. An example would be running a site named mike[.]com that mimics nike[.]com.

Cybersquatting also happens when a malicious individual grabs an expired domain name when its owner fails to re-register it. He can then sell it back to its original owner for a hefty sum.

Also known as “domain squatting,” cybersquatting is a cybercrime.

Dark Web intelligence simply refers to data collated from the Dark Web and the Deep Web. It is used to fight fraud proactively and substantially reduce losses. Apart from the Dark Web and the Deep Web, this intelligence can also come from malware networks, botnets, and other technical infrastructure cybercriminals use.

Since the Dark Web allows users to remain anonymous and, therefore, unidentifiable and untraceable, it has become a haven for cybercriminals. You should know, though, that the Dark Web wasn’t initially meant for sinister purposes.

Data obfuscation is a security measure that aims to mask any kind of information or file. It involves scrambling information to ensure anonymity. It is often a strategy organizations employ as a security measure, as it renders data useless in case of a breach. That way, no severe compromise can occur.

So, what is data obfuscation in simple terms? It can be likened to someone wearing a mask in public to remain unrecognizable. Obfuscation ensures that the data remains intact and that malicious individuals cannot read it.

Deperimeterization is an information security strategy that strengthens an organization’s security posture by implementing multiple levels of protection, including inherently secure computer systems and protocols, high-level encryption, and authentication. It is called such since it implies that the enterprise no longer relies on its network perimeter for security.

Deperimeterization refers to perimeterless or borderless security, as the boundaries of an organization’s information systems (ISs) are removed, thereby connecting them directly to the outside world. It’s similar to taking down the walls of a fortified city and deploying armed soldiers everywhere instead.

A disaster recovery team is the group in an organization tasked to develop, document, and execute processes and procedures for data recovery, business continuity, and IT infrastructure repairs in case of an attack or failure. 

Think of it as a race car’s pit crew that ensures it will run efficiently throughout a race.

DNS blocking refers to a technique that restricts access to certain websites and online content. One of its primary uses is to help organizations prevent employees from accessing nonwork-related websites.

The technique is also used in school and at home to control what websites children can visit. Also called “DNS filtering” and “Internet content filtering,” DNS blocking helps improve productivity, enhance cybersecurity, and protect user privacy.  

A Domain Name System (DNS) sinkhole is simply a DNS server that gives users false domain names. It is also known as a “sinkhole server,” an “Internet sinkhole,” or a “blackhole DNS.”

The DNS was set up to point users to the correct IP address every time they type a specific domain name into their browsers in hopes of visiting a particular website. When a sinkhole appears after an earthquake, for instance, all of the structures on the ground in it sink. In the same vein, a DNS sinkhole disrupts the intended flow of Internet traffic from a domain name to its correct IP address. As a result, anyone who accesses one gets sent to a different IP address.

Document sanitization is the process of removing metadata from a document to avoid sensitive information falling into unauthorized people’s hands. Document metadata refers to invisible information in a document, such as its creation date, author’s name, revision history, and the comments exchanged by the author and editor.

Even when some of the said data is deleted, there’s still a chance it has been digitally stored within the document. And since metadata can contain sensitive information, removing it is crucial before distributing the document to other people.

For example, a contract drawn by a law office may have undergone several editing and revision phases. The author, editor, and everyone involved may have left and addressed comments in the document before the contract was finalized. Before sending the contract to the necessary parties, it has to go through document sanitization first so that only the intended information is sent.

A dumpster diving attack is a type of cyber attack made possible by searching through the victim’s trash.

While you might be imagining a messy and filthy scenario where a person dives into a dumpster, the reality is less unsanitary. In a dumpster diving attack, threat actors could be in and out of the dumpster in a matter of minutes. But they may already have their hands on a box full of confidential documents, storage devices, and workstations.

An eavesdropping attack occurs when cybercriminals steal information sent or received by a user over an unsecured network. It is also known as a “sniffing attack” and can come in different forms.

The use of the two terms “eavesdropping” and “sniffing” makes the attack seemingly mild but attackers actually do more than eavesdrop or sniff. Victims of an eavesdropping attack could suffer severe losses, as eavesdroppers could obtain sensitive information that they can sell for malicious purposes. 

Embedded systems security is a strategy that provides embedded systems protection from cyber attacks. Embedded systems, also known as “embedded computers,” are small devices with a dedicated function within a more extensive system.

Internet of Things (IoT) devices are examples of embedded systems. For instance, smart household appliances, such as your refrigerator, thermostat, and security alarm perform different functions. However, they are part of the whole household system and interconnected to each other through the Internet.

Embedded systems security aims to protect the software running on these devices since malicious actors are increasingly targeting them.

An evil maid attack targets an unattended device. The attackers with physical access to the device make undetectable changes to it so they can access it or the data stored on it later on.

The attack got its somewhat derogatory name from the scenario where a hotel maid could access an unattended device while cleaning a room. Note, though, that the concept can also occur in situations where a device is temporarily taken away from its owner, such as by airport personnel or law enforcement agents.

An evil twin attack uses a fake Wi-Fi access point that seems legitimate but is actually meant to eavesdrop on wireless communications. It is a phishing scam targeting wireless local area networks (WLANs). It lets attackers steal the passwords of unsuspecting WLAN users by monitoring their connections or through phishing. The latter requires threat actors to set up fraudulent websites to lure people to.

Physically, an evil twin attack can be compared to the following scenario: The attackers set up a booth in a conference. They ask attendees to leave their business cards in a fishbowl in exchange for freebies. Little do the people who unknowingly give out their personal details know that they are being targeted for scams.

External attack surface management (EASM) refers to the process of identifying risks originating from Internet-facing assets and systems. Apart from processes, EASM also encompasses the necessary technologies to discover external-facing assets and manage their vulnerabilities, if any.

EASM includes managing servers, credentials, public cloud misconfigurations, and third-party partner software code vulnerabilities that threat actors could exploit to get to their intended targets. At its core, EASM takes an outside-in view into an organization to identify and mitigate threats that exist beyond its network perimeter.

External penetration testing is a security strategy that assesses an organization’s external-facing assets. These assets include web applications, virtual private network (VPN) solutions, routers, firewalls, and smartphones.

In an external penetration test, assessors attempt to breach an internal network by exploiting vulnerabilities on external-facing assets. Testers can also try to access confidential data using external-facing assets like emails, websites, and file shares.

The pen-testers first need to conduct reconnaissance on the organization’s assets. They gather intelligence, including open ports, vulnerabilities, and general information about its password creation policies. Once they successfully breach the network’s perimeter, the external penetration test is done.

Federated identity in information technology (IT) refers to the identity management model that links a person’s account details across multiple websites. Federated identity management (FIM) is the reason why you can log in to websites like Canva, Pinterest, and eBay with either your Google, Facebook, or Apple account.

Despite having their identity management systems, these websites are linked through standard policies and protocols. Canva, for instance, is federated with Google, Facebook, and Apple so that the users of the three sites can log in to its platform without having to go through a different login process.

The term “FileRepMalware” does not refer to a specific type of malware but rather a detection name used by some antivirus software to indicate that a file has a low reputation or is potentially malicious. When an antivirus encounters a file it has never encountered, it may use various methods to determine its reputation and potential threat level.

One common method is by using a cloud-based reputation system. The antivirus sends the file information to a central server for analysis. If the file is associated with a known malware, it will be flagged as malicious. But if it is relatively new or has only been distributed in a limited fashion, it may not have a known reputation. As such, the antivirus may flag it as a FileRepMalware or use a similar generic name.

In essence, the term “FileRepMalware” implies that a file in question lacks a well-established reputation and could potentially be harmful. It is a must to exercise caution when encountering such a file. Consider scanning it with an updated antivirus or consult an IT professional before opening or executing it.

A green hat hacker is a newbie in the hacking world. As such, green hat hackers may not be as familiar with all the security mechanisms companies or individuals may be using. Unlike the other hacker categories, they may not be as well-versed with the inner workings of the web.

What green hat hackers lack in experience, however, they make up for in eagerness to learn and determination to go up the ranks of the hacker community.

Green hat hackers are not necessarily threat actors. In fact, they may not intentionally want to cause harm to others but may do so while practicing their craft.

Indicators of compromise (IoCs) refer to forensic data like that found in system or file logs that indicate potentially malicious activity on a system or network. They help information security and IT professionals detect data breaches, malware infections, or the presence of threats.

Monitoring for IoCs lets organizations detect attacks and act quickly to prevent breaches or limit the damage by thwarting attacks as soon as possible.

Input validation attack is a form of cyber attack where threat actors type a malicious input into a system. The input can be a piece of code, a script, or a command, which the target system then executes. As a result, threat actors can damage the system and access, copy, and manipulate sensitive information.

The cyber attack takes advantage of a vulnerability in applications and systems where user input is not thoroughly filtered and validated. Such a vulnerability creates an opportunity for malicious actors to exploit the system. An input validation attack falls under the injection vulnerability umbrella, one of the top 10 web application security risks named by the Open Web Application Security Project (OWASP) Foundation.

Integrated risk management (IRM) refers to practices and processes done via a risk-aware culture and enabling technology. It improves business decision-making and performance by giving users the whole picture of how well their organization manages risks.

Think of it as a way to monitor and manage risks (e.g., security threats, compliance requirements, etc.) using a single platform. You only need to look at one monitor, for instance, and already see if problems can potentially spring up from identified issues.

A key fob originally referred to tiny security hardware with built-in authentication to control and secure access to mobile devices, computer systems, network services, and data. It randomly generates an access code that changes periodically, typically every 30–60 seconds. To use a key fob-locked device, users need to authenticate themselves on the fob with a personal identification number (PIN), followed by the current code displayed on it.

These days, though, even car keys come in the form of key fobs to open doors and even ignite their engines. Before the first key fobs for American Motors cars emerged in 1983, these were only used on personal computers (PCs).

A key management system is a solution that manages the cryptographic keys in a cryptosystem. Think of it as the cabinet where a hotel stores all the room keys. It’s where the receptionist obtains the key to your room so he or she can hand it over to you once you’ve completed the check-in process.

Unlike the hotel’s key cabinet, however, which you can see physically, the key management system we’ll talk about in this post exists virtually—inside your computer.

Quantile normalization, in the field of statistics, is a technique that makes two distributions identical in statistical properties. The two distributions in this instance, which we’ll discuss later, are the test and reference distributions. To make them identical in terms of statistical properties, the highest entry in the test and reference distributions should be aligned, followed by the next highest, and so on.

While it sounds complex, you can think of it as two lines of five students arranged by height (i.e., shortest to tallest). The first line could have Ross, Chandler, Joey, Gunther, and Frank, and the second could have Phoebe, Monica, Rachel, Ursula, and Janice. To quantile-normalize the lines, Ross and Phoebe (the shortest male and female, making them identical in the statistical property height) will be the first test and reference subjects, respectively, followed by Chandler and Monica, and so on.

Koobface is the name of a piece of malware and the cybercriminal gang behind it that gained infamy in the late 2000s.

As a malware variant, Koobface emerged in 2008. It spread via social media platforms, notably Facebook, hence its name—a palindrome of the social networking site’s name.

The Koobface gang, meanwhile, is believed to have five Russian members. They called themselves “Ali Baba & 4.” They were Anton Korotchenko, also known as “KrotReal”; Stanislav Avdeyko, AKA “leDed”; Svyatoslav E. Polichuck, AKA “PsViat” and “PsycoMan”; Roman P. Koturbach, AKA “PoMuc”; and Alexander Koltysehv, AKA “Floppy.”

An LDAP injection is an attack that exploits vulnerable Web-based applications that construct LDAP statements based on user input. If a program fails to sanitize user input, attackers can modify LDAP statements using a local proxy. That could let them execute arbitrary commands, such as granting permissions to unauthorized queries and content modification inside the LDAP tree.

An LDAP injection attack often uses the same exploitation techniques employed in SQL injection attacks.

A logic bomb is a piece of malicious code purposely inserted into software that executes when a specific set of conditions are met. An example would be one that starts deleting files from say a salary database should the company fire its creator.

Many malware variants contain logic bombs that execute specific payloads at predefined times or when certain conditions are met. The tactic allows the malware to spread before they get noticed. Some can attack the systems they’re dropped on a specific date like April Fools’ Day and so are often called “time bombs.”

A malicious payload is an attack component responsible for executing an activity to harm the target. Some common examples of malicious payloads are worms, ransomware, and other malware that arrive on computers by clicking bad links or downloading harmful attachments.

Malicious payloads can cause data deletion, encryption, and exfiltration. In some cases, threat actors encrypt payloads to keep their malicious code hidden from antimalware solutions.

Think of malicious payloads as soldiers in camouflage. They only attack when given a signal. Malicious payloads also remain inactive until activated.

Network segmentation is the process of dividing a network into smaller parts for various reasons—control, security, and boosting performance. It is also referred to as “network segregation,” “network partitioning,” and “network isolation.” Each part of a segmented network is called a “subnetwork” or “subnet.”

So when you’re asked “What is network segmentation?,” think of a subnet as a room in your house. You divide your living area into different spaces to designate areas for rest, recreation, and work. Without the partitions, you may end up eating anywhere, thus inviting pests if you don’t have that much time to clean daily.

An open relay or open mail relay is an unsecured Simple Mail Transfer Protocol (SMTP) server that permits anyone to send messages anonymously. When you have an open relay SMTP server, outsiders can send emails to anyone through it. The outsiders in this case could be anyone on the Internet, including spammers, phishers, and other threat actors.

The mail recipients won’t know who the email is from, so threat actors are accorded anonymity. But their mail servers would know that the message was sent through your mail server and can get it blocklisted as a result. Some blocklists even automatically block open relay servers to protect email users from spam.

Operating system (OS) security is a means to protect one’s OS from all kinds of threats. The OS, of course, is the user interface (UI) that allows a user to interact with his or her computer. He or she types in commands for the system to execute.

Operating system security includes all of the preventive and control measures one puts on his or her computer to safeguard it and other connected devices (e.g., printer, etc.) that contain confidential information that hackers would likely steal, modify, or delete if the system is compromised.

Think of operating system security as all of the procedures (e.g., going through a security check at a building entrance, etc.) and measures (e.g., locking out all unauthorized personnel from internal staff-only rooms, etc.) that building managers and staff employ to keep thieves and other unwanted people out of office premises.

OSINT, short for “open-source intelligence,” refers to information obtained from publicly available sources to produce actionable intelligence. If you’ve never come across the term “actionable intelligence” before, it is the data cybersecurity specialists use to thwart cyber attacks, prevent threats from entering their networks, or mitigate ongoing attacks.

Given the OSINT meaning above, it’s primarily used for national security, law enforcement, and business intelligence gathering.

Packet capture refers to seizing a data packet that is traveling to or from a specific computer network. When a packet is “captured,” it is stored temporarily for analysis. It is inspected to diagnose and solve network problems and determine if its structure follows network security policies.

Hackers or threat actors use packet capturing techniques to steal data transmitted over a network.

You can liken packet capturing to an airport’s passenger entrance security protocol. Pieces of baggage and passengers go through a stringent check to make sure they don’t contain or aren’t carrying any forbidden items that can cause any damage to anyone or the establishment itself.

Passive reconnaissance is an attempt to gather information about targeted computers and networks without actually communicating with them. The term originated from the military, which does passive reconnaissance before embarking on an information-gathering mission. Instead of attacking right away, they first obtain the necessary information to direct their strategies. Today, passive reconnaissance has become the first step hackers take before exploiting system or network vulnerabilities.

Think of passive reconnaissance as stalking someone on social media. While you’re not necessarily talking directly to your subject, you are actively seeking information on him/her.

Password management is a set of principles and processes to be followed online in order to manage and store passwords securely and effectively and prevent unauthorized access as much as possible.

People use password managers to handle their passwords due to the more extensive security and comfort that they provide.

Perimeter security comes from a built-in multipurpose system that detects threats, performs surveillance, and analyzes attack patterns. As such, it often serves as a network’s first line of defense against many dangers that can harm connected systems.

An airport that serves as the gateway to and from a country typically uses perimeter security made up of intrusion detection systems (IDSs), alarms, and 24-hour-manned closed-circuit television (CCTV) cameras to ensure that any criminal who goes in and out of a protected territory is caught.

In computing, perimeter security follows the same principle to protect valuable data. Various elements or systems work together to keep confidential data safe from unauthorized access.

Phishing-as-a-service (PhaaS) occurs when cybercriminals sell access to all the things you’ll need to instigate a phishing attack in the black market typically found on the Dark Web. The business model follows the legitimate software-as-a-service (SaaS) model. Companies offer users access to their specially crafted solutions for a subscription fee instead of purchasing a license to install the program on their computers.

PhaaS has made it easy even for cybercriminal newbies to launch phishing campaigns even if they can’t code.

The ping of death (PoD) command is a type of denial-of-service (DoS) attack where hackers work to destabilize or freeze the target computer service. They do so by sending oversized packets via a ping command. The ping command checks the availability of a network resource.

Using the ping of death command requires attackers to send data packets above the maximum limit that the Transmission Control Protocol/Internet Protocol (TCP/IP) allows. Since the packets are more than what a server can handle, they can cause the target system to reboot, freeze, or completely crash.

Post-quantum cryptography is an encryption approach that aims to provide security in anticipation of the development of quantum computers. These computers can perform more powerful computations than regular ones and are believed to break existing cryptographic algorithm approaches. 

Post-quantum cryptography is also referred to as “quantum-resistant,” “quantum-proof,” or “quantum-safe” cryptography. Cryptographic experts started exploring the development of post-quantum cryptography around the 1990s after mathematician Peter Shor demonstrated that a quantum computer could easily crack public-key encryption.

Back then, the quantum computer was still theoretical. Large tech companies like IBM and Intel have invested billions of dollars in developing quantum computers in recent years. Post-quantum cryptography helps us protect our data when these quantum computers become available.

Purple team security is a methodology where so-called red and blue security teams work closely to maximize their cyber capabilities through continuous feedback and knowledge transfer. It helps security teams improve their vulnerability detection, threat hunting, and network monitoring through accurate simulations of common threat scenarios and creating new techniques to prevent and detect new threats.

You can think of purple team security or purple teaming as a red and blue team security combination. We’ll tell you all about each type of security methodology in the following sections.

A quid pro quo attack is a low-level form of hacking that relies on social engineering. An example would be when an attacker calls your phone pretending to be from one of your service providers’ technical support representatives. He or she will offer you some assistance, which would, however, only work if you’re experiencing some difficulty.

Availing of the hacker’s “service” actually gives him or her access to your computer, device, or home network to plant malware. Therein lies the rub, as successful ransomware installation, for instance, can let attackers hostage your files for large sums of money.

A red hat hacker is a hacker who takes aggressive steps to stop black hat hackers. While red hat hackers are not inherently evil, they do everything they can to stop the bad guys, including taking matters into their own hands. They go to the lengths of launching full-scale attacks to take down cybercriminals’ or cyber attackers’ servers and destroy their resources.

Red hat hackers are often dubbed the Robin Hoods of the virtual world. Like the heroic outlaw, they are not opposed to stealing back what the cybercriminals or cyber attackers stole from their victims. And like Robin Hood and his Merry Men, they won’t keep the stolen goods for themselves. Instead, they will give them back to their owners.

A replay attack happens when cybercriminals eavesdrop on secure network communications, intercept them, and change them to make the receivers do what they want. What makes it more dangerous, though, is that it does not require advanced hacking skills when the target messages are not encrypted.

You can compare it to fraudsters who steal mail from your mailbox (a service provider bill), open it, replace its content (the account details where payment should be sent with those that point to an account under the attackers’ control), and resend it via the same postal office like nothing happened.

A reverse shell is a type of session cyber attackers commonly use to open communication ports between their machines and the victims’. It is also one of the penetration testers’ go-to methods.

A reverse shell, also known as a “connect-back shell,” takes advantage of the target system’s vulnerabilities to initiate a shell session then gain access to the victim’s computer. The goal is to connect to a remote computer and redirect the input and output connections of the target system’s shell so the attacker can access it remotely.

Sandboxing is a process where an application is separated from other programs and system resources for security purposes. So if the application proves malicious, the other systems and programs in the same network would not be affected or infected with malware. Afterward, the malicious program can either be cleaned if it is required or deleted if it is unnecessary, without causing problems within the networked environment—essentially, the systems and devices that are connected to one another and the Internet.

It is just like building sandboxes in real life. They are made to contain playtime within a specified area because you don’t want toys to be scattered throughout your yard. It also prevents your child from wandering to potentially dangerous areas.

Sasser (detected as Sasser.A) is a computer worm, a type of malware, that affects computers running vulnerable versions of Microsoft Windows XP and Windows 2000. It spreads by exploiting a port vulnerability, specifically in Transmission Control Protocol (TCP) port 445, which authenticates or identifies network users.

While Microsoft released a patch for Sasser in its MS04-011 bulletin 17 days before the first attack hit, the worm still wreaked a lot of havoc when it spread to many computers back in April 2004.

Security by design or secure by design is an approach to product development that considers cybersecurity at the onset. It does away with the “let’s cross the bridge when we get there” outlook on cybersecurity and makes software or hardware more secure. It is similar to designing a house and ensuring that it is earthquake-resistant and hurricane- or typhoon-proof.

Security by design ensures that security controls are built into a product’s design, rather than as an afterthought. Such an approach reduces the likelihood of cybersecurity breaches and has become common in product development.

A security framework is a compilation of state-mandated and international cybersecurity policies and processes to protect critical infrastructure. It includes precise instructions for companies to handle the personal information stored in systems to ensure their decreased vulnerability to security-related risks.

Since a security framework has proven useful to entire industries, many, if not all, organizations strive to adhere to their mandates when crafting security guidelines for their networks.

A security misconfiguration is an error that occurs when security controls are inaccurately configured or left insecure. It puts systems and data at risk. And any poorly documented configuration changes, default settings, or technical issues in any system component could lead to a misconfiguration.

Simply put, therefore, a security misconfiguration is any error in how a device has been set up to work.

A security zone is a part of the network to define specific policies and protocols to keep the entire network threat-free. The components of a security zone may have limited access to other parts of the internal network to prevent unauthorized access.

You can think of a security zone as parts of your home that only specific family members can enter. You can disallow helpers and your kids to enter your home office, for instance. Security zones can refer to executives’ offices and your HR’s document storage room in an office. They should be closed off to all other employees because they may contain confidential files that no one else should see.

Security zones come in various types and have different uses, which will be discussed in greater detail in the succeeding sections. We’ll also tackle some policies applied to security zones.

Security-as-a-service is any service obtained from a third party to handle and manage cybersecurity needs. As with software-as-a-service (SaaS), security-as-a-service delivers cybersecurity from the cloud, making it a popular choice for organizations to limit their number of in-house security personnel, reduce maintenance costs, and scale security along with business growth.

With security-as-a-service, companies no longer need to purchase security solutions and manage and maintain them locally. Their IT departments no longer need to install antimalware and other security tools on each device or server. All of these would be taken care of by their providers.

Think of it as hiring a professional team of security guards that ensures that no unauthorized personnel or unwanted guests are allowed entry into your premises. You don’t need to hire nor train them yourself.

Shift left security is the practice of applying security to an application in development at the earliest possible stage. Instead of testing how secure your program is when it’s near the end of the product development life cycle, you do so as early as possible. That not only saves you time and effort in revamping the entire software code in the end but also ensures better security and efficiency.

When you’re cooking, you can liken shift left security to tasting your dish as soon as you finish seasoning it to quickly make adjustments before it becomes too late.

Signature-based detection is a process that is commonly used to address software threats on your computer. These threats may include malware, viruses, worms, Trojans, and many others. 

In signature-based detection, appropriate signatures for each file are created and compared with known signatures that have been stored and detected before. The process never stops until a match is found. When this happens, the file is considered a threat and automatically gets blocked.

The antivirus programs you installed on your computer may be using signature-based detection to check for malware.

SIM jacking, also known as “SIM swapping” or “SIM hijacking,” is a type of cyber attack where threat actors take control of victims’ phone numbers by convincing their mobile carriers to transfer the numbers to a SIM card they own. Such an attack exploits the fact that many online accounts and services use phone numbers as a form of two-factor authentication (2FA) or account recovery method.

SIM jacking, simply put, is stealing someone else’s number so the thief can pose as the SIM card’s owner. You can liken it to when an impostor creates a social media account while posing as you.

An SMTP hack abuses vulnerabilities found in the Simple Mail Transfer Protocol (SMTP), allowing hackers to rely on the victim’s reputation when sending spam and phishing emails. For example, when attackers hack into the SMTP server of Company A, they can send emails using the victim’s domain. These emails could contain spammy messages or malware but would look like they were from someone within the organization whose domain was used.

As a result, the hacked organization’s email domain or Internet Protocol (IP) address could be blocklisted. But this is just the tip of the iceberg. The victim’s reputation can get severely damaged because of the SMTP hack, causing clients to lose their confidence in the company.

A sniffing attack is an act of intercepting or capturing data while in transit through a network. The concept is similar to law enforcers wiretapping a suspect’s phone line to gather necessary information. Remember when the Federal Bureau of Investigation (FBI) wiretapped Leonardo DiCaprio’s phones in the movie The Wolf of Wall Street? So instead of using wiretaps to catch bad guys and seek justice, sniffing attacks are employed by cybercriminals to steal data.

During a sniffing attack, hackers can steal any information victims transmit as long as it is not encrypted. The data can include usernames, passwords, bank and credit card accounts, favorite websites, and email messages. Cybercriminals can then use this data to further steal from victims. For one, they could access a victim’s bank accounts and use his/her credit card details in fraudulent transactions. They could also sell stolen usernames and passwords on the Dark Web or steal victims’ identities.

SOAR stands for “security orchestration, automation, and response.” Gartner coined the term in 2017 to refer to security platforms that gather cyberthreat data from multiple solutions into one location for more accessible and more efficient incident response and threat management.

Threat intelligence fed into SOAR platforms can come from firewalls, vulnerability scanners, endpoint protection systems, threat intelligence feeds, and security information and event management (SIEM) platforms.

The rationale behind SOAR is similar to that of storing data in the cloud, such as syncing photos from different devices to iCloud or Google Photos. Instead of saving photos on each of the devices you own, you can log in to these cloud services and browse them from there. 

A Secure Sockets Layer (SSL) stripping attack allows threat actors to downgrade a web connection from HyperText Transfer Protocol Secure (HTTPS) to the less secure HTTP. It is also known as an “SSL or HTTP downgrade attack.”

An SSL stripping attack decrypts all communications, allowing hackers to perform a man-in-the-middle (MitM) attack where they sit in the middle of a conversation to listen to or intercept confidential information.

A stealth virus is a kind of malware that does everything to avoid detection by antivirus or antimalware. It can hide in legitimate files, boot sectors, and partitions without alerting the system or user about its presence. Once inside a computer, a stealth virus allows an attacker to take over the functions of the infected computer.

A stealth virus is like a rebel who wears a camouflage suit to remain unidentifiable among soldiers. He or she can then pretend to be one of the good guys to infiltrate a target.

The STRIDE model, short for “spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege model,” is a threat model created by Praerit Garg and Loren Kohnfelder to identify digital security threats.

The STRIDE model involves going through all of a network’s processes, data repositories, data flows, and trust boundaries to find threats. It basically answers the question: What can go wrong in a computer system?

Symmetric encryption is a means of protecting data using a secret key to encrypt (lock) and decrypt (unlock) it. The sender and recipient share the key or password to gain access to the information. The key can be a word; a phrase; or a nonsensical or random string of letters, numbers, and symbols.

Many organizations use symmetric encryption because it is relatively inexpensive. But it does come with some flaws. A key in symmetric encryption can be used forever. And that sometimes leads organizations to forget to change them. As a result, even users who may no longer be part of the company can intercept and read encrypted data.

Think of symmetric encryption as the combination to an office vault. Anyone who has it can unlock and access the vault's contents.

A SYN flood attack is a denial-of-service (DoS) attack that renders a server unavailable to legitimate traffic by using up all of its resources. Also known as a “half-open attack,” threat actors repeatedly send initial connection requests or SYN packets to overwhelm all the available ports on the target server, causing it to respond to legitimate traffic slowly or not at all.

You can compare it to an intersection where only one of the crisscrossing streets allows vehicles to pass through while the other street fills up with vehicles that wish to cross to the other side.

A tailgating attack, also referred to as “piggybacking,” involves attackers seeking entry to a restricted area without proper authentication. In it, the perpetrators can simply follow an authorized person into a restricted location. They can impersonate delivery men carrying tons of packages, waiting for an employee to open the door. They can ask the unknowing target to hold the door, bypassing security measures like electronic access control.

Tarpitting is the process of intentionally delaying the sending of mass emails to avoid getting tagged as a spammer. In it, system administrators can configure a specific mail server to insert a pause in-between sending emails with huge recipient numbers. But while tarpitting can benefit legitimate companies that want to stay protected from spamming, cybercriminals can also abuse it to bypass security measures. They can delay spam mail sending time so these would not be considered spam.

The term “tarpitting” came from the concept of a “tar pit.” Falling into one would significantly slow you down.

A teardrop attack is a kind of denial-of-service (DoS) attack or one that’s meant to take a target website or network offline. In it, an attacker sends fragmented data packets to the target device. The nature of the packets makes it hard for the system to read the data. The effort to do so ultimately overwhelms the machine, causing it to crash.

A teardrop attack typically works on computers with older operating systems (OSs) such as Windows 95, Windows 3.1x, Windows NT, and earlier Linux versions. Some attacks also worked, though, on systems running Windows 7 and Windows Vista.

A teardrop attack can be likened to an unruly group of shoppers all trying to enter an establishment with a massive sale at the same time. Once the shop doors open, they run en masse, causing a stampede and accidents. The establishment may need to close until the situation is dealt with because the shop owner needs to attend to the injured.

Threat intelligence feeds refer to continuous data streams that provide information on threats that can adversely affect an organization’s security. They give security teams a list of indicators of compromise (IoCs) that includes malicious URLs, malware hashes, and malicious email and IP addresses related to attacks.

Often, the data obtained from threat intelligence feeds dictate the next steps or actions that security teams need to take to protect their organizations. These actions include blacklisting IoCs or blocking connection requests from identified threat sources and preventing malware from reaching connected systems.

Threat intelligence feeds differ from threat information, which refers to general data without contextual relevance that a security analyst or investigator can use to take the necessary action to prevent loss. They can be likened to routes on a driving app that tells the driver which is the best way to take, depending on his/her goal (e.g., less time, no traffic, no traffic enforcers, etc.).

Threat modeling is the process of identifying network vulnerabilities and optimizing security to enhance mitigation strategies. The practice is often done to protect valuable information or prevent adverse events that may lead to malicious attacks. It is ideal in building a culture of security throughout an enterprise.

Think of threat modeling as predicting what could go wrong. For example, before walking into a dark alley, you should assess if you’re likely to be attacked. Ask yourself questions like “Where will the attacker come from?” and “Can I defend myself? How?”

Threatware refers to computer programs developed by threat actors to gain unauthorized access to victims’ computers. They are used to harm devices with the end goal of stealing their owners’ sensitive information. Threatware are also called “malware,” specifically “spyware.”

Various kinds of threatware have alarmingly spread over the years, including ransomware, keyloggers, trojans, and adware.

A tunneling virus is any virus that gets installed before an antivirus can detect it. It executes without alerting the sensors of the operating system (OS) to avoid antivirus detection.

A tunneling virus disables a computer’s interception programs. While some antivirus solutions can detect the malicious code, they can’t stop this type of virus from getting installed. More advanced antivirus programs that employ tunneling strategies may be the only ones capable of detecting and preventing the execution of a tunneling virus.

You can compare a tunneling virus to thieves entering an establishment via the sewer system, so they don’t have to deal with alarms.

Twofish encryption is a block cipher (or an encryption method in simple terms) that is 128 bits in size and uses a key that’s up to 256 bits long. Let’s break that definition down to its components to simplify.

As a block cipher, twofish encryption encrypts data in blocks using a deterministic algorithm and a symmetric key. A deterministic algorithm is an algorithm that will always produce the same output no matter the input used so long as the machine that uses it follows the same procedure. A symmetric key, meanwhile, is a single key that encrypts and decrypts data.

A Unified Threat Management (UTM) firewall is a network security device that performs multiple security functions. These functions include firewall, intrusion detection/prevention, antivirus, content filtering, and virtual private network (VPN) services.

A UTM firewall protects networks from various threats, such as malware, viruses, spam, phishing attacks, and malicious traffic. By integrating multiple security functions, UTM firewalls provide a comprehensive approach to network security, making it easier for organizations to manage their security infrastructure.

The vulnerability management process refers to the never-ending and constant practice of identifying, assessing, reporting, managing, and remediating vulnerabilities across devices, workloads, and systems. It requires a vulnerability management tool that detects vulnerabilities and employs different processes to patch or remediate them.

Effective vulnerability management processes utilize threat intelligence and IT and business operation knowledge to prioritize risks and address vulnerabilities as fast as possible.

Warchalking occurs when people draw symbols in areas to indicate the presence of an open Wi-Fi network. The symbols used typically say something about the access point. At its height, warchalking attracted hackers to break into the said public Wi-Fi networks and gather information about their users.

Think of warchalking as street signs that point people in the right direction.

Wardriving is the act of looking for publicly accessible Wi-Fi networks while in a moving vehicle (hence the word “driving”) for later potential use in attacks (now you know why the term “war”).

Due to its nature, wardriving requires the use of portable devices like a laptop or a smartphone. Software that aids perpetrators in the task are sadly available free of charge on the Web. Other terms have been coined for similar tactics, depending on the transportation means used. We’ve seen warbiking, warcycling, warcarting, warwalking, warflying, warrocketing, warballooning, and warboating used as well.

Think of wardriving as a thief going house to house in search of poorly protected ones to rob.

Web application penetration testing refers to testing the security of web application firewalls (WAFs), which filter, monitor, and block incoming and outgoing web service traffic, to make them as impenetrable as possible. To do it, penetration testers or pen-testers, for short, can attempt to breach a company’s applications, such as application protocol interfaces (APIs) and frontend and backend servers, to see if they have weaknesses that can be exploited through code injection attacks.

The results and findings of web application penetration tests are useful in fine-tuning WAF security policies and patching uncovered vulnerabilities.