Cybersecurity is a rapidly changing field. The arms race between hackers and organizations trying to defend themselves has given rise to a lexicon of epic proportions—and leaders from almost every industry are learning to speak the language.
As concepts like antivirus and firewalls have grown old, security-tech companies are selling everything from “advanced threat detection” to “incident response” to “backup and recovery” systems. Terms like “encryption” and “ransomware” now appear in mainstream news headlines. Even among security experts, there is some ambiguity as to what things like “dwell time” or “dark Web” actually mean.
Business and technology leaders want to get on the same page so they can collaborate better. We at Xconomy want to create that page—and help define the terminology in one place as a resource to advance discussions.
So here it is: a list of the top terms—35 to start with—that we’ve been hearing in cybersecurity circles. It’s a mix of old and new, attacks and defenses, security-related entities and problem-solving approaches. The list is not meant to be technical or comprehensive. It represents a snapshot of terms you’ll want to know if you listen to high-level security discussions in 2016. We hope it will be useful to the security community, as well as to general business and tech readers, as part of our new cybersecurity channel.
This glossary is intended to be a living, evolving document. We plan to update it as we hear of more terms that should be defined in one place, and as meanings and examples change. (If you have a suggestion, please leave a comment or drop me a line at the address below.)
| Term or phrase | Definition |
|---|---|
| Advanced persistent threat (APT) | A long-term, sophisticated hacking attack against a specific network or entity, usually intended to steal data or assets. |
| Antivirus | Software designed to identify and remove computer viruses or other malware on an organization’s devices or IT systems. |
| Attack surface | The totality of different points where hackers could enter or extract data from an environment. Applies to software, networks, and humans, and represents the sum of an organization’s security risk exposure. |
| Authentication | Process in which a user’s credentials are compared to what’s listed in a database of authorized users’ information. (Two-factor authentication means signing in with known login information plus a second “factor” such as a code received in a text message or a physical token.) |
| Backup and recovery | Process by which a copy of data in an archive can be used to reconstruct the original data in the event of a loss, corruption, or disaster. |
| Bitcoin | A form of digital currency created by software and held electronically, which allows for some level of anonymity. (Attackers using ransomware, for example, may demand payment in bitcoins.) |
| Code injection | An attack that introduces malicious code into a software application, which then executes the code when the application is opened. Examples: SQL injection, which can compromise or modify information in a database, and cross-site scripting, which can allow hackers to hijack user accounts or display fraudulent content. |
| Dark Web | Sites on the public Internet that hide their creators’ identity and server IP addresses using encryption. The sites are not indexed by conventional search engines and usually require software or authorization tools to access. Used by hackers and others to communicate in a more anonymous way. |
| Distributed denial of service (DDoS) | A coordinated attack in which multiple connected machines, usually infected with malware or otherwise compromised to co-opt them into the attack, flood a network, server, or website with so much data as to make it unusable. |
| Dwell time | Duration, usually in days, that a vulnerability or infection remains undetected within a network or environment. (Some also define it as the time between detection and remediation, or even total time from infection to remediation.) |
| Encryption | A method for scrambling a message, file, or other data and turning it into a secret code. The code can only be read using a “key” or other piece of information (such as a long string of numbers), usually created with an algorithm. (See Apple, FBI, WhatsApp.) |
| Endpoint protection | Technologies and strategies for securing devices such as laptops, mobile phones, tablets, workstations, and servers that connect to a corporate network. The devices are known as “endpoints.” |
| Firewall | A security system that monitors and controls traffic between an internal network (trusted to be secure) and an external network (not trusted). Generally considered insufficient against today’s cyber threats. |
| Hacktivism | Computer or Internet hacking activities motivated by social or political reasons. There is disagreement over whether “hacktivists” are heroes or criminals (see Anonymous, Aaron Swartz). |
| Heartbleed | A widespread vulnerability discovered in April 2014 that put user passwords (and other sensitive information) on popular websites at risk of being stolen. The bug, in OpenSSL encryption software, allowed hackers to repeatedly access a Web server’s memory. |
| Incident detection | The first step in dealing with an attack or threat, which is to identify it. May include network monitoring, behavioral analytics, and other ways to detect hacker behavior. |
| Incident response | An organization’s structure for managing, mitigating, and resolving cybersecurity events (such as breaches). This involves people, processes, and technology, which includes workflow management, collaboration, process automation and orchestration, analytics, and reporting. |
| Internet of Things (IoT) | The network of all devices and objects that have electronics and can connect to the Internet. Includes smartphones, tablets, laptops, and servers, but also cars, buildings, and household items like doorbells, thermostats, toys, and faucets. A major security challenge, as any device can potentially be a target or conduit for an attack. |
| Kill chain | Military-inspired term encompassing the various stages of a cyber attack—reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action. Applies mainly to malware attacks, and was popularized by Lockheed Martin. |
| Machine learning | As applied to security, this refers to artificial-intelligence techniques for helping computers adapt to evolving threats. Useful for understanding large amounts of data, detecting anomalies in networks or user behavior, and could be central to predictive security approaches in the future. |
| Malware | Malicious or hostile software used to attack or infiltrate a computer system or network. Often embedded in non-malicious files or programs, it includes things like computer viruses, worms, ransomware, and spyware. |
| Orchestration | Establishing, centralizing, and standardizing threat detection and incident response procedures. Includes automation and integration of different security workflows, technologies, and tools. |
| Penetration testing (pen testing) | Refers to techniques for actively testing an organization’s computer or network security, usually by identifying potential vulnerabilities and weak spots and trying to exploit those and/or break in. |
| Phishing | Attempting to steal sensitive data such as passwords or credit card numbers by pretending to be a trusted entity. Can be done with e-mail, phone calls, or other methods, for example, to direct a user to visit a bogus website and enter account information. |
| Privileged account | Credentials within an organization that allow a user elevated access to things like operating systems, network devices, and key IT infrastructure. A popular target for hackers and malicious insiders. |
| Ransomware | A type of malware that prevents access to the target’s computer system or data until a ransom is paid to the attacker. Often uses encryption to lock up files or IT systems, holding them hostage until a decryption key is paid for. Recent targets include companies, hospital systems, and city governments. |
| Remediation | What an organization does to limit or stop an attack once it’s detected, as part of incident response. Includes things like blocking IP addresses, removing infected files or devices, and restoring affected systems to a known good state. |
| Resilience | The ability of an organization to manage cybersecurity incidents, recover from failure or damage, and keep running continuously despite growing threats. |
| Rogue wireless device | Unauthorized hardware that is connected to or near an organization’s network or systems. Examples range from a wireless router to a laptop to a keystroke logger. The device can be used to gain access to sensitive data, send it back to an adversary, or connect other devices to a network. |
| SIEM (security information and event management) | The combined process of incident detection and incident response (pronounced “sim”). Includes features such as alerts, analytics, dashboards, and forensic analysis. |
| Threat detection | Methods for identifying system vulnerabilities and hacking behaviors. Can include any number of technologies, including machine learning, statistical modeling, and network or Web monitoring using software or hardware. |
| Tor (The Onion Router) | Open-source network software that disguises users’ identity and location by encrypting data and routing traffic around an intercontinental network of servers run by volunteers. Used by sites on the dark Web, among others. |
| Vulnerability scanner | Software program that automatically finds, assesses, and reports weaknesses in a computer system, network, or application. This is one form of threat detection. |
| Worm | A type of malware that is standalone (unlike a virus, which is attached to another program) and spreads to other machines by replicating itself. Capable of very targeted attacks. An example is Stuxnet, a cyber weapon used to disrupt Iran’s nuclear program in 2009-2010. |
| Zero-day attack | Hacking that exploits a vulnerability in software that is unknown to the vendor and has no patch yet. This type of threat is particularly difficult to detect and defend against. The name refers to a vendor or organization having no time to fix the hole prior to attack. Recent example: Sony. |
Cybersecurity Channel Underwriters:
