Cybersecurity 101

The ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.

The process of granting or denying specific requests for or attempts to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities.

Related Term(s): access control mechanism

Security measures designed to detect and deny unauthorized access and permit authorized access to an information system or a physical facility.

Access logs are an essential tool for any DevOps and server operations. They provide valuable information about the requests made to your server, including information about the request, the user, and the server's response.

Account takeover (ATO) is an increasingly prevalent form of cybercrime, with attackers gaining unauthorized access to online accounts by exploiting stolen credentials. The consequences of these attacks can be devastating for individuals and organizations alike, resulting in financial loss, identity theft, and damage to reputation. In this comprehensive guide, we will explore the various methods cybercriminals use to carry out ATO attacks, and most importantly, share essential strategies for protecting your organization and customers against this growing threat.

An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources, its data, or its operations.

Related Term(s): passive attack

An advanced persistent threat is a cyberattack wherein criminals work together to steal data or infiltrate systems over a longer period of time.

AitM attacks involve threat actors eavesdropping, intercepting, or manipulating data traffic before actively engaging or hijacking.

Learn about adware, what it is, why it's dangerous, how you can protect yourself from it. By following the tips in this post, you can help protect your computer from being infected with adware.

The physical separation or isolation of a system from other systems or networks.

A notification that a specific attack has been detected or directed at an organization’s information systems.

A program that specializes in detecting and blocking or removing forms of spyware.

Related Term(s): spyware

Application whitelisting is a one form of endpoint security. It’s aimed at preventing malicious programs from running on a network.

AI systems can perform tasks requiring human intelligence, such as problem-solving, pattern recognition, and decision-making.

Anything useful that contributes to the success of something, such as an organizational mission; assets are things of value or properties to which value can be assigned.

An information system’s characteristics that permit an adversary to probe, attack, or maintain a presence in the information system.

Azure Kubernetes Service (AKS) is the fully managed Kubernetes container orchestration service from Microsoft Azure. With AKS, you can quickly create and deploy containerized applications on a large scale, with built-in security and monitoring capabilities, making it easier for developers and IT professionals to focus on innovation and accelerate the delivery of applications to customers.

Observing activities of users, information systems, and processes and measuring the activities against organizational policies and rule, baselines of normal activity, thresholds, and trends.

Synonym(s): behavior monitoring

A group that defends an enterprise’s information systems when mock attackers (i.e., the Red Team) attack, typically as part of an operational exercise conducted according to rules established and monitored by a neutral group (i.e., the White Team).

A computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under remote the command and control of a remote administrator.

Synonym(s): zombie

Related Term(s): botnet

What is a Botnet? Botnets are behind many types of attacks and hacks. Read about some real life examples of Botnets and learn about how they are executed.

Brute force attacks involve systematically trying every possible combination of passwords until the correct one is found.

Bulletproof hosting services are actively used by platforms such as online casinos, spam distribution sites, and pornographic resources. Learn more here.

Business Email Compromises cost companies over $1.7bn last year, far outstripping ransomware. What is BEC and how can you avoid being the next victim?

Business process outsourcing (BPO) is a type of outsourcing that involves the transfer of specific business functions or processes to a third-party service provider. A successful attack on a BPO company can provide access to a large amount of sensitive data from multiple clients.

BYOD (Bring Your Own Device) is a policy or practice that allows employees to use their personal devices, such as smartphones or laptops, for work purposes.

Data or information in its encrypted form.

Related Term(s): plaintext

A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cloud encryption is a security measure used to protect sensitive data stored or transmitted through cloud services. It involves converting plaintext data into ciphertext using encryption algorithms, making it unreadable to unauthorized users. In cloud computing, encryption can be applied to data at rest (stored data) or data in transit (data being transmitted between systems or users).

Cloud ransomware is a type of malware that infiltrates cloud-based systems and encrypts data, rendering it inaccessible to users. The attackers then demand a ransom, typically in the form of cryptocurrencies like Bitcoin, to decrypt and release the affected data. The shift to cloud computing has made this an increasingly prevalent threat, as businesses move more of their data and operations to cloud-based services.

Cloud Security helps enterprises handle challenges when storing data in the cloud. Learn about securing cloud workloads, remote work infrastructure & more.

The Cloud Shared Responsibility Model is a vital concept in cloud security that defines the responsibilities of both cloud service providers and their customers. This model ensures both parties understand their roles in securing cloud assets and prevents confusion and misunderstandings.

A Cloud Native Application Protection Platform (CNAPP) is a security solution to protect cloud-native applications. These applications are built using microservices architecture and run on containerized environments like Kubernetes, OpenShift, or Docker. A CNAPP offers a holistic approach to cloud security, protecting the entire application lifecycle from development to production.

Cobalt Strike is a commercial penetration testing tool used by security professionals to assess the security of networks and systems. It can be used for malicious purposes but is not malware in the traditional sense.

C2 servers are commonly used by threat actors to coordinate attacks, such as data breaches, malware dissemination, and ransomware.

A CDN is a globally distributed server network that works together to deliver internet content more quickly and efficiently. By caching content at multiple locations around the world, CDNs reduce the distance between the user and the content, resulting in faster load times, improved performance, and enhanced user experience. CDNs also help protect websites from malicious traffic and DDoS attacks by serving as a secure proxy between users and the origin server.

Cookie logging is the process of capturing and storing HTTP cookies that are exchanged between a web server and a user's browser. Cookies are small data files that contain information about a user's activity on a website, such as login credentials, session IDs, historical actions, and more.

Cybercriminals steal usernames and passwords using tactics varying from phishing attacks and data breaches to malware and social engineering.

Cross-platform security refers to a comprehensive approach to safeguarding an organization's digital assets across multiple operating systems, devices, and environments. In today's diverse IT landscape, where Windows, macOS, Linux, and various cloud-based systems coexist, ensuring consistent and reliable protection against cyber threats is crucial. Cross-platform security solutions provide a unified defense strategy, enabling businesses to manage and maintain the security of their infrastructure more efficiently, regardless of the platforms being used.

Crypto malware is a type of malicious software that targets digital wallets and cryptocurrency exchanges. It is designed to steal cryptocurrency by infecting a user's computer or device and gaining access to their digital wallet or exchange account. Once the malware has access, it can transfer cryptocurrency to the attacker's account, steal private keys or passwords, or even encrypt files and demand a ransom.

A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.

Related Term(s): key, encryption, decryption, symmetric key, asymmetric key

The art or science concerning the principles, means, and methods for converting plaintext into ciphertext and for restoring encrypted ciphertext to plaintext.

Related Term(s): plaintext, ciphertext, encryption, decryption

The information and communications systems and services composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements: Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information.

A Cyber Kill Chain, also known as a Cyber Attack Lifecycle, is the series of stages in a cyberattack, from reconnaissance through to exfiltration of data and assets.

In the NICE Framework, cybersecurity work where a person: Performs activities to gather evidence on criminal or foreign intelligence entities in order to mitigate possible or real-time threats, protect against espionage or insider threats, foreign sabotage, international terrorist activities, or to support other intelligence activities.

Cyber Risk Management is a crucial process that helps organizations identify, assess, and mitigate potential risks to their digital assets. It involves analyzing potential threats, vulnerabilities, and impacts on an organization's information technology infrastructure, networks, and data. By adopting Cyber Risk Management strategies, organizations can improve their security posture, comply with regulatory requirements, ensure business continuity, and allocate resources effectively.

Threat intelligence, or cyber threat intelligence, involves analyzing any and all threats to an organization. The process begins with gathering as much information as possible in order to have the knowledge that allows your organization to prevent or mitigate potential attacks.

Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.

Cybersecurity training is essential for professionals looking to protect their organization's sensitive data and systems. Many resources are available to learn the latest security best practices, from online courses to in-person workshops.

The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

The dark web is a part of the internet that is not indexed by search engines and can only be accessed using special software, such as the TOR browser. It is often used to facilitate illegal activities, such as the sale of illegal goods and services.

Darknets and dark markets are covert online spaces designed to operate beyond the reach of law enforcement and ethical oversight.

The process of gathering and combining data from different sources, so that the combined data reveals new information.

Related Term(s): data mining

A data breach is when sensitive or confidential information is accessed or stolen without authorization. This can be done through hacking, malware, or other means and can significantly damage individuals, businesses, and organizations.

The property that data is complete, intact, and trusted and has not been modified or destroyed in an unauthorized or accidental manner.

Related Term(s): integrity, system integrity

DLP (Data Loss Prevention) is a security technique that helps prevent sensitive data from being lost or stolen. It uses policies and technologies to monitor and protect data in motion, at rest, and in use.

The process of converting encrypted data back into its original form, so it can be understood.

Synonym(s): decode, decrypt, decipher

With most of us consuming news from social media, how much of a cybersecurity threat is fake news created by Deepfake content? What can we do about it?

A denial of service (DoS) attack is a type of cyber attack that uses a single system to send a high volume of traffic or requests to a targeted network or system, disrupting its availability to legitimate users.

DevOps is a set of practices that brings together software development (Dev) and IT operations (Ops) to enable the continuous delivery of high-quality software applications. It involves collaboration, automation, and communication between software developers and IT professionals to streamline the software development process and improve software delivery's overall efficiency and reliability. DevOps practices include continuous integration and deployment, automated testing, infrastructure as code, monitoring and logging, and agile methodologies. The ultimate goal of DevOps is to deliver software applications faster, with higher quality, and at a lower cost.

DevSecOps is a software development methodology that integrates security as a shared responsibility throughout the IT lifecycle. The term "DevSecOps" is derived from the words "development," "security," and "operations." It emphasizes the importance of security in the development of software applications and aims to prevent security issues from being an afterthought. DevSecOps is an approach to culture, automation, and platform design that focuses on integrating security into the development process from the outset.

DFIR (Digital Forensics and Incident Response) is a rapidly growing field in cybersecurity that helps organizations uncover evidence and investigate cyberattacks. It combines digital investigation and incident response to help manage the complexity of cybersecurity incidents. DFIR includes forensic collection, triage and investigation, notification and reporting, and incident follow-up. Digital forensics focuses on collecting and analyzing data from IT systems to determine the root cause of a cybersecurity incident, while incident response involves taking immediate actions following a security compromise or breach, including identifying the scope and impact of the incident and recovering from it. DFIR is valuable for computer security incident response teams and can be used for remote investigation and proactive threat hunting.

In the NICE Framework, cybersecurity work where a person: Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability, mitigation, and/or criminal, fraud, counterintelligence or law enforcement investigations.

Synonym(s): computer forensics, forensics

A value computed with a cryptographic process using a private key and then appended to a data object, thereby digitally signing the data.

Related Term(s): electronic signature

A DDoS attack is a type of cyber attack that uses multiple systems to send high traffic or requests to a targeted network or system, disrupting its availability to legitimate users.

An attacker that gains control over your DNS gains control over your entire domain. How can you know, and what can you do to stop, DNS hijacking?

Double extortion combines traditional ransomware with data exfiltration that occurs before data encryption and demanding the ransom.

Endpoint Detection and Response (EDR) is a cybersecurity approach that focuses on detecting and investigating security incidents on endpoints like desktops, laptops, servers, and mobile devices. EDR solutions collect and analyze endpoint data, network traffic, and user behavior to detect anomalous activities that could indicate a security breach.

Elastic Kubernetes Service (EKS) is Amazon Web Services' (AWS) fully managed Kubernetes service, designed to simplify the deployment and management of containerized applications at scale

Any mark in electronic form associated with an electronic document, applied with the intent to sign the document.

Related Term(s): digital signature

The generic term encompassing encipher and encode.

Synonym(s): encipher, encode

Ensures network security by formally screening, authenticating, and monitoring endpoints with an endpoint management tool. Endpoint management tools are primarily used to manage devices and provide support, giving administrators the ability to oversee endpoint activities.

Endpoint security is the process of protecting user endpoints (desktop workstations, laptops, and mobile devices) from threats such as malware, ransomware, and zero-days.

A technique to breach the security of a network or information system in violation of security policy.

In the NICE Framework, cybersecurity work where a person: Analyzes collected information to identify vulnerabilities and potential for exploitation.

Extended Berkeley Packet Filter (eBPF) is a powerful and versatile technology that allows developers to both safely and efficiently run custom code inside the Linux kernel. Due to its ability to enable deep visibility and control of system behavior, eBPF has seen much popularity in recent years. Developers rely on eBPF to provide a common infrastructure for a wide range of use cases, including networking, security, tracing, and performance analysis.

The inability of a system or component to perform its required functions within specified performance requirements.

As the name suggests, this type of malware is a malicious program that uses software already present on a computer in order to infect it. Since it does not rely on using files of its own, it can be notably difficult to prevent and detect. By extension, this also makes it difficult to remove.

A hardware/software device or a software program that limits network traffic according to a set of rules of what access is and is not allowed or authorized.

Google Kubernetes Engine, or GKE, is a powerful tool for managing containerized applications. It is a managed environment for deploying, managing and scaling containerized applications using Kubernetes, an open-source container orchestration system. GKE provides a platform to run and manage containerized applications on the Google Cloud Platform (GCP).

A hacker is a person who uses their technical skills and knowledge to gain unauthorized access to computer systems and networks and may be motivated by a variety of factors, including financial gain, political activism, or personal curiosity.

What is hacktivism? Learn about its origins to the present day, its motivations and why hacktivist groups should still be on your threat assessment radar.

A numeric value resulting from applying a mathematical algorithm against a set of data such as a file.

Synonym(s): cryptographic hash value

Related Term(s): hashing

Find out what hashing is used for, how it works to transform keys and characters, and how it relates to data structure, cybersecurity and cryptography.

The term “honeypot” originally comes from the world of military espionage, wherein spies would use a romantic relationship to steal secrets from the enemy. By setting a “honey trap” or a “honeypot,” they aimed to attract and ensnare targets into divulging sensitive information. In cybersecurity, cyber honeypots often work fundamentally in the same way as traditional honeypots.

ICMP Flood, also known as Ping Flood, is a type of DDoS attack that leverages the Internet Control Message Protocol (ICMP) to overwhelm a target with a large volume of network traffic. Attackers use this method to disrupt the target's online services, making them unavailable to legitimate users.

IAM ensures that only authorized users can access the right resources at the right time by managing and controlling access.

The methods and processes used to manage subjects and their authentication and authorizations to access specific objects.

Identity security is the process of adopting Identity Attack Surface Management (ID-ASM) and Identity Threat Detection and Response (ITDR) tools to detect credential theft, privilege misuse, attacks on Active Directory, risky entitlements, and other methods that create attack paths.

An occurrence that actually or potentially results in adverse consequences to (adverse effects on) (poses a threat to) an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.

Related Term(s): event

Incident response (IR) is the set of actions an organization takes in response to a cyber attack or breach. It's important to have an IR plan in place to address incidents quickly and effectively, but 65% of organizations say fragmented IT and security infrastructure is a barrier to increasing cyber resilience.

A set of predetermined and documented procedures to detect and respond to a cyber incident.

An occurrence or sign that an incident may have occurred or may be in progress.

Related Term(s): precursor

Indicator of Compromise (IoC) is a term that refers to evidence of an intrusion into a network or system. It is a piece of information that suggests that a security breach has occurred or is currently happening. In cybersecurity, the Indicator of Compromise (IoC) is vital in detecting and mitigating cyber threats.

The measures that protect and defend information and information systems by ensuring their availability, integrity, and confidentiality.

Related Term(s): information security

An exchange of data, information, and/or knowledge to manage risks or respond to incidents.

Any equipment or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information.

Related Term(s): information and communication(s) technology

Insider threats are security risks that originate from within an organization. These threats come from employees, contractors, or business partners who have access to sensitive information, systems, or assets. The risk of insider threats is significant, and it is essential for organizations to understand this risk and take measures to prevent or mitigate it.

Jailbreaking refers to removing software restrictions imposed by the manufacturer on a device, such as a smartphone or a tablet. This process allows users to fully access the device's operating system and install custom firmware, third-party applications, and otherwise unavailable tweaks.

Kerberoasting attacks target the Kerberos protocol to steal encrypted service tickets. Attackers can use these tickets to compromise service accounts, gaining access to sensitive information & network resources. Protect your org with strong passwords & network segmentation.

Two mathematically related keys having the property that one key can be used to encrypt a message that can only be decrypted using the other key.

Related Term(s): private key, public key

A publicly or privately controlled asset necessary to sustain continuity of government and/or economic operations, or an asset that is of great historical significance.

Related Term(s): critical infrastructure

A keylogger is a type of software or hardware device that is used to capture and record every keystroke made on a computer or mobile device keyboard. Keyloggers are typically used for monitoring and surveillance purposes, such as in employee monitoring or parental control software. Keyloggers can be installed on a computer or device either with or without the user's knowledge or consent. Some keyloggers are designed to be invisible, running in the background and recording all keystrokes without the user's awareness. Other keyloggers may be installed intentionally by the user, for example, to track their own activity or to troubleshoot issues with their device. The recorded keystrokes can obtain sensitive information such as passwords, credit card details, and personal messages. Therefore, keyloggers can be used for malicious purposes like stealing confidential information, identity theft, or cyber espionage. It's important to note that the use of keyloggers without the user's consent is illegal in many jurisdictions.

Kubernetes is an open-source platform designed to manage containerized workloads and services. It automates the deployment, scaling, and management of containerized applications. Kubernetes was first released in 2014 by Google, and now it is maintained by the Cloud Native Computing Foundation (CNCF).

In cybersecurity, lateral movement refers to the movement of an attacker within a victim’s network. Lateral movement is typically done in order to extend the reach of the attack and to find new systems or data that can be compromised. Lateral movement can occur at any stage of an attack but is most commonly seen during the post-compromise phase.

ML empowers systems to learn from and adapt to data, making decisions and predictions based on patterns and insights without programming.

A macro virus is a type of malicious software that is spread through macro-enabled documents, such as Microsoft Office files, and is designed to infect a computer and cause harm.

Computer malware is a type of software that is designed to cause damage to a computer, server, or computer network. It can take many forms, such as viruses, worms, Trojan horses, ransomware, and spyware.

Malware analysis is the process of taking a close look at a suspicious file or URL to detect potential threats. It is one of the first steps to identifying malware before it can infect a system and cause harm to critical assets.

Malware detection is an essential aspect of cybersecurity that helps organizations identify, analyze, and mitigate threats posed by malicious software. With the increasing sophistication of cybercriminals, understanding malware detection methods and implementing robust protection measures is more critical than ever

A man-in-the-middle (MITM) attack is a type of cyber attack in which an attacker intercepts and manipulates communication between two parties. This can allow the attacker to eavesdrop on the conversation, alter the messages being exchanged, or impersonate one of the parties to gain access to sensitive information.

In MitM attacks, threat actors work to intercept and potentially alter communication between two parties, compromising data confidentiality.

Managed Detection and Response is a comprehensive cybersecurity service that combines advanced technology, expert human analysis, and rapid incident response to detect, analyze, and remediate cyber threats. By leveraging a combination of Endpoint Detection and Response (EDR) tools, threat intelligence, and skilled security analysts, MDR providers can help organizations enhance their security posture and reduce the risk of breaches.

Managed Kubernetes services provide a fully managed Kubernetes control plane, which includes the Kubernetes API server, etcd, and other essential components. The provider manages the control plane's infrastructure, scaling, upgrades, and security. The user manages the worker nodes, which run the containerized workloads.

An MSSP is a company that provides businesses with a range of security services, such as monitoring and protecting networks and systems from cyber threats, conducting regular assessments of a business's security posture, and providing support and expertise in the event of a security incident.

Managed Threat Hunting is a proactive cybersecurity strategy that involves the proactive identification and mitigation of potential threats. It is a collaborative effort between an organization and a team of cybersecurity experts who use specialized tools and techniques to detect, investigate, and mitigate threats. This approach differs from traditional cybersecurity measures, which typically rely on reactive responses to incidents.

Mimikatz continues to evade many security solutions. See why this successful password and credential stealing tool continues to be popular among attackers.

The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.

Learn about the MITRE ATT&CK Framework, how it can be used to classify adversary behaviors, and what to know about the latest MITRE evaluation.

Mobile malware is a malicious software that targets smartphones, tablets, and other mobile devices with the end goal of gaining access to private data. Although Mobile Malware is not as prolific as it’s counterpart (malware that attacks traditional workstation) it's a growing threat for all organizations.

Multi-cloud security is the practice of securing multiple cloud environments, each with its distinct security protocols, compliance requirements, and data privacy standards.

Multi-factor Authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity. This provides an additional layer of security to protect against unauthorized access to sensitive information.

In contrast to legacy antivirus technology, next generation antivirus (NGAV) advances threat detection by finding all symptoms of malicious behavior rather than focusing on looking only for known malware file attributes. 

Open Source Intelligence (OSINT) refers to the collection, analysis, and dissemination of information that is publicly available and accessible to anyone. This includes information from sources such as social media, news articles, government reports, and other publicly available data. OSINT is used by individuals and organizations to gather intelligence and insights on various topics, including cybersecurity, market research, and competitive analysis. It can also be used by law enforcement and intelligence agencies to gather intelligence for investigations and operations. OSINT is often used in conjunction with other forms of intelligence gathering, such as human intelligence (HUMINT) and signals intelligence (SIGINT).

The hardware and software systems used to operate industrial control devices.

Related Term(s): Industrial Control System

PtH and PtT techniques target authentication mechanisms. Both enable attackers to escalate privileges and gain access to resources.

An actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system, but does not attempt to alter the system, its resources, its data, or its operations.

Related Term(s): active attack

A password is the key to open the door to an account. Don’t let network integrity fall victim to poor password habits. Improve your password security know-how.

Patch management helps defend against vulnerabilities through the identification and deployment of updates or patches to fix software flaws.

An unauthorized act of bypassing the security mechanisms of a network or information system.

Synonym(s): penetration

A penetration test, also known as a pen test, pentest, or ethical hacking is a type of security assessment that simulates cyberattacks against a computer system and is performed to evaluate how weak (or strong) the security of the system is.

PII and PHI refer to an individual's unique data. Due to their potential for identity theft and fraud, they are prime targets for criminals.

70% of ransomware attempts come from phishing scams. Learn how to recognize phishing scams and methods to avoid phishing attacks on your enterprise.

Polymorphic malware refers to malicious software that can change or morph its code, making it difficult for traditional antivirus solutions to detect. This ability to evolve allows polymorphic malware to evade signature-based detection methods, which rely on static patterns or signatures to identify known threats.

An observable occurrence or sign that an attacker may be preparing to cause an incident.

Related Term(s): indicator

PoLP advocates for granting users the minimum level of access and permissions necessary to perform their own tasks to secure access control.

Privileged Access Management (PAM) is a comprehensive security solution designed to manage and monitor access to privileged accounts and critical systems, ensuring that only authorized individuals can utilize these powerful privileges.

Ransomware is a type of malware that blocks access to your system or personal files until a ransom is paid. Learn actionable tips to defend yourself.

Ransomware rollback is a feature in some advanced XDR solutions that enables organizations to restore their encrypted files to a pre-attack state, effectively reversing the effects of a ransomware attack. This is achieved by leveraging advanced technologies such as continuous data protection, behavioral analysis, and machine learning to monitor and record changes in files over time. In a ransomware attack, the XDR solution can quickly roll back the affected files to their original state before the encryption occurs.

RaaS allows cybercriminals with limited skills to launch sophisticated cyberattacks, expanding the reach and impact of ransomware campaigns.

In the cyber kill chain, threat actors perform reconnaissance to gather data about their intended victims to plan more effective cyberattacks.

Red Hat OpenShift is a container application platform designed to help developers build, deploy, and manage containerized applications in any infrastructure. It provides an enterprise-grade, scalable, and secure environment for modern application development. OpenShift is based on Kubernetes, an open-source container orchestration system, and adds developer and operations-centric tools to Kubernetes.

A red team simulates real-world cyber attacks to test an organization's defenses and identify vulnerabilities. By providing a realistic test of defenses and offering recommendations for improvement, red teams can help organizations stay safe from cyber threats.

An exercise, reflecting real-world conditions, that is conducted as a simulated attempt by an adversary to attack or exploit vulnerabilities in an enterprise’s information systems.

Related Term(s): cyber exercise

Additional or alternative systems, sub-systems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, sub-system, asset, or process.

Regulatory compliance provides the standard laws and controls for the protection and management of sensitive data and digital systems.

RCE allows malicious actors to execute arbitrary code on a targeted system to gain unauthorized access and take control.

The ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.

The activities that address the short-term, direct effects of an incident and may also support short-term recovery.

Related Term(s): recovery

The potential for an unwanted or adverse outcome resulting from an incident, event, or occurrence, as determined by the likelihood that a particular threat will exploit a particular vulnerability, with the associated consequences.

The systematic examination of the components and characteristics of risk.

Related Term(s): risk assessment, risk

The appraisal of the risks facing an entity, asset, system, or network, organizational operations, individuals, geographic area, other organizations, or society, and includes determining the extent to which adverse circumstances or events could result in harmful consequences.

Related Term(s): risk analysis, risk

The process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.

Includes: 1) conducting a risk assessment; 2) implementing strategies to mitigate risks; 3) continuous monitoring of risk over time; and 4) documenting the overall risk management program.

Related Term(s): enterprise risk management, integrated risk management, risk

RBAC is a systematic approach that assigns permissions and privileges to individuals or entities based on their roles and responsibilities.

Ryuk is one of the first ransomware families to have the ability to identify and encrypt network drives and resources, and delete shadow copies on the victim endpoint.

Website scams are fraudulent schemes designed to deceive, manipulate, or exploit internet users by posing as legitimate websites, services, or businesses. These scams often aim to steal sensitive information, such as personal details, financial data, or login credentials, or to trick users into downloading malicious software, making payments for non-existent products or services, or participating in other malicious activities. Being aware of common website scam tactics and practicing safe browsing habits can help protect against these online threats.

SecOps, or Security Operations, is a collaborative approach to cybersecurity that integrates security and IT operations teams' processes and tools. By bridging the gap between these traditionally separate teams, organizations can achieve a more cohesive and efficient response to security threats, enhance their overall security posture, and mitigate risks effectively.

A cryptographic key that is used for both encryption and decryption, enabling the operation of a symmetric key cryptography scheme.

Related Term(s): symmetric key

The use of information technology in place of manual processes for cyber incident response and management.

SIEM, or Security Information and Event Management, is a comprehensive cybersecurity approach that combines the functionalities of Security Information Management (SIM) and Security Event Management (SEM). Its primary goal is to provide organizations with a unified platform for gathering, analyzing, and correlating security event data from various sources, such as firewalls, intrusion detection systems, and antivirus software. By doing so, SIEM solutions enable real-time threat detection, alerting, and incident response, ensuring an efficient defense against potential cyberattacks.

A Security Operations Center, or SOC, is a centralized facility where a team of cybersecurity experts works together to monitor, detect, analyze, and respond to various security incidents within an organization's digital infrastructure. The primary objective of a SOC is to minimize the impact of cyberattacks, protect sensitive data, and ensure the confidentiality, integrity, and availability of your organization's information assets.

SOAR (Security Orchestration, Automation, and Response) is a cybersecurity strategy that streamlines and optimizes security operations by integrating multiple security tools and automating routine tasks. It enables efficient threat detection, analysis, and response, fostering collaboration within security teams and minimizing the risk of human error.

A rule or set of rules that govern the acceptable use of an organization’s information and services to a level of acceptable risk and the means for protecting the organization’s information assets.

A security vulnerability is a weakness in a computer system or network that can be exploited by attackers to gain unauthorized access or cause harm.

Serverless architecture is a cloud computing execution model where the cloud provider dynamically manages the allocation and provisioning of resources. Unlike traditional architectures, serverless allows developers to build and deploy applications without worrying about the underlying infrastructure

Shadow IT is the unauthorized use of technology by employees within an organization, including software, hardware, and cloud services. This phenomenon often arises when employees bypass IT policies and procedures to use unapproved tools or services to accomplish their tasks more efficiently. While Shadow IT can sometimes lead to productivity gains, it also exposes organizations to potential security risks, compliance issues, and financial liabilities.

Shadow SaaS, also known as "Shadow IT," refers to the unauthorized use of Software as a Service (SaaS) applications within an organization without the knowledge or approval of the IT department. This can include cloud-based services, apps, and software tools that employees access to perform their job duties more efficiently or conveniently. While these solutions may offer short-term productivity gains, they can pose significant security risks to the organization as they bypass established security policies and protocols.

SIM swapping is used by cybercriminals to take control of a victim's mobile phone number to access sensitive accounts and data.

In cybersecurity, comprehending the current status and security posture with respect to availability, confidentiality, and integrity of networks, systems, users, and data, as well as projecting future states of these.

Social engineering tactics manipulate users by exploiting human emotions. Users can be tricked into giving up sensitive data or access.

The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner.

The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

Spear phishing is a more sophisticated, coordinated form of phishing. It’s called spear phishing because it uses familiar, personalized information to infiltrate a business through one person.

The deliberate inducement of a user or resource to take incorrect action. Note: Impersonating, masquerading, piggybacking, and mimicking are forms of spoofing.

Spyware is a type of malicious software that is installed on a device without the user's knowledge or consent. It is used to collect sensitive information and transmit it to a third party without the user's knowledge. Spyware can compromise personal information, slow down a device, and disrupt its performance.

Site Reliability Engineering (SRE) is a discipline that combines software engineering and systems engineering principles to build and maintain reliable, scalable, and efficient software systems. SREs focus on automating infrastructure management, monitoring system performance, and proactively addressing potential issues.

A generic name for a computerized system that is capable of gathering and processing data and applying operational controls to geographically dispersed assets over long distances.

Related Term(s): Industrial Control System

A supply chain attack targets a company's supply chain to gain access to its systems/networks. These attacks can result in data theft, operational disruption, and damage to a company's reputation.

The process of identifying, analyzing, and assessing supply chain risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.

Related Term(s): supply chain

A branch of cryptography in which a cryptographic system or algorithms use the same secret key (a shared secret key).

A syslog, short for System Log, is a standardized logging protocol used to record and manage log messages generated by various devices and applications within an IT infrastructure. Syslog is widely adopted across operating systems, such as Linux, Unix, and macOS, and is also supported by many network devices and applications.

In the NICE Framework, cybersecurity work where a person: Works on the development phases of the systems development lifecycle.

In the NICE Framework, cybersecurity work where a person: Consults with customers to gather and evaluate functional requirements and translates these requirements into technical solutions; provides guidance to customers about applicability of information systems to meet business needs.

The total cost of ownership (TCO) in cybersecurity refers to the cost associated with implementing, maintaining, and managing a cybersecurity infrastructure. This includes the direct costs of hardware, software, and services and the indirect costs related to business continuity, staff productivity, risk management, and organizational efficiency. Understanding TCO allows organizations to make informed decisions about their cybersecurity investments and allocate resources effectively.

A circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.

An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. Related Term(s): adversary, attacker

In the NICE Framework, cybersecurity work where a person: Identifies and assesses the capabilities and activities of cyber criminals or foreign intelligence entities; produces findings to help initialize or support law enforcement and counterintelligence investigations or activities.

The product or process of identifying or evaluating entities, actions, or occurrences, whether natural or man-made, that have or indicate the potential to harm life, information, operations, and/or property.

Related Term(s): threat analysis

Curious about threat hunting? Is your security team actively searching for malicious actors & hidden threats on your network? If not, read about how they can!

TTPs are a comprehensive framework of strategies and tactics used by cyber adversaries, shedding light on their motives and methods.

TLP, or Traffic Light Protocol, is a system used to classify and handle sensitive information in cybersecurity. It consists of four colors - red, amber, green, and white - each representing a different level of sensitivity and corresponding guidelines for handling the information.

Triple extortion adds a third layer to ransomware attacks. After encryption, exfiltration and ransom, threat actors extort with DDoS attacks.

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

VPNs are secure tunnels allowing users to access the internet or a private network while remaining confidential and protected from threats.

A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer.

Related Term(s): macro virus

In the NICE Framework, cybersecurity work where a person: Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations.

A shortcoming or imperfection in software code, design, architecture, or deployment that, under proper conditions, could become a vulnerability or contribute to the introduction of vulnerabilities.

Related Term(s): vulnerability

A group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of information systems.

Related Term(s): Blue Team, Red Team

A list of entities that are considered trustworthy and are granted access or privileges.

Related Term(s): blacklist

How can PowerShell impact your business's valuable assets? Learn the basics of PowerShell, why it's attractive to hackers & how to protect the enterprise.

A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.

Protecting the organization across multiple layers requires an XDR platform, but what is XDR exactly? And what should you look for when choosing a solution?

Zero trust is a design approach that ensures that security is prioritized over any form of trust gained by users.

Zero Days (0-Days) occur more than you think. Read how threat actors exploit vulnerabilities to perform Zero Day attacks & how to defend against them.