Cyber security glossary

See Arbitrary Code Execution.

Address Space Layout Randomisation (ASLR) is a computer security technique involved in protection from buffer overflow attacks. In order to prevent an attacker from reliably jumping to a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process.

The Advanced Encryption Standard (AES), also known as Rijndael, is an electronic data encryption specification defined by the National Institute of Standards and Technology (NIST). All AES implementations use a symmetric-key algorithm with a block size of 128 bits, but have key sizes varying between 128, 192 or 256 bits.

A stealthy, sophisticated hacking attack against a specific network or system, usually intended to steal data or assets. Both private and governmental organisations are targeted for both political or financial motives.

Groups that pose an APT risk are typically nation-state sponsored, with the capability, intent and resources to conduct a long-term campaign against a targeted entity.

Software that downloads or displays unwanted advertisements in the application being used. Adware can also collect data on which sites the user visits and sends this data back to the adware company to deliver targeted advertising to the user.

See Advanced Encryption Standard.

An allow list, known in some places as a whitelist, is the opposite of a deny list. It is a list of trusted resources or destinations that a user or application can access. Allow listing is typically resource intensive, but is more secure than deny listing.

Designed to identify and remove computer viruses, other malware and spyware on a device or IT system. To be effective it should be kept up-to-date with the latest anti-virus signatures and definitions.

See Advanced Persistent Threat.

APT28 (also known as GRU26165, GRU74455, Fancy Bear, Sednit, Sofacy or Pawn Storm) is a highly skilled advanced persistent threat group believe to be operating on behalf of, or directly for, the government of the Russian Federation.

They target government, financial, industrial, media and research organisations as well as individuals worldwide but with a focus on Europe (both Western and Eastern), the USA ans South America.

The ability of an attacker to execute any command they choose on a targeted device.

See Address Space Layout Randomisation.

The aggregate of the different points where hackers could try to enter data or extract data from an environment. It applies to software, networks and humans, representing the sum of an organisation’s security risk exposure to hackers and internal users.

The act of confirming the truth of a single piece of data that a user claims is true. There are three primary categories of factors that can be used for user authentication:

• knowledge factors - something the user knows; such as a password, PIN or security question.
• possession factors - something the user owns; such as ID card, mobile phone or hardware token.
• inherence factors - something the user is; such as bio-metrics.

Both user location and time of access are now also considered authentication factors.

Authentication can be split into categories depending on the number of factors used in the authentication process:

• single-factor authentication (1FA) - an authentication process that uses a single factor from one of the three categories, such as a contactless payment requires a bankcard (possession factor) - 1FA is the weakest form of authentication
• two-factor authentication (2FA) - an authentication process that uses factors from two of the categories, such as a larger payment requires a bankcard (possession factor) and a PIN (knowledge factor)
• multi-factor authentication (MFA) - an authentication process that uses factors from at least 2 of the categories, for example some payments may require a bankcard (possession factor), PIN (knowledge factor) and a fingerprint (inherence factor) - this is considered the strongest form of authentication

A backdoor is a method of bypassing normal authentication on a device. They are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.

The process of making a copy of data in an archive which can be used to reconstruct the original data in the event of a loss, corruption or disaster.

The Basic Input Output System (BIOS) is a non-volatile firmware used to perform hardware initialisation and testing during the startup process. First created in 1975, it has now mostly been replaced by the more complex and capable Unified Extensible Firmware Interface (UEFI).

See Basic Input Output System.

A form of digital currency created by software and held electronically, which provides some anonymity. Attackers using ransomware may demand payment in bitcoins.

In networking, blackholes refer to places in the network where incoming or outgoing traffic is silently discarded (or dropped), without informing the source that the data did not reach its intended recipient.

We're now using the term 'deny list' instead of 'blacklist'. The National Cyber Security Centre (NCSC) have written a blog that helps to explain this change.

A bootkit acts much the same as a rootkit, however it targets the master boot record which allows it to be executed prior to the loading of the operating system (OS).

This allows for bootkits to remain undetected on a system, as the components remain outside of the OS file system, making them undetectable by traditional anti-virus software.

An interconnected network of computers (bots) infected with malware without the user's knowledge and controlled by cybercriminals.

Typically used to send spam emails, transmit malware and engage in other acts of cybercrime that a single machine would not be able to undertake.

A botshop acts as an intermediary between botnet owners and potential clients, handling payments, dispute resolution and listings between parties.

A brute-force attack consists of an attacker systematically checking all possible passwords/passphrases in the hope of eventually guessing correctly.

A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold.

Since buffers are created to contain a defined amount of data, the extra data can overwrite data values in memory addresses adjacent to the destination buffer unless the program includes sufficient bounds checking to flag or discard data when too much is sent to a memory buffer.

This enables an attacker to access data stored in memory by pushing extra data into the stack, causing it to overflow.

See Command and Control Server.

A software or hardware component that stores data so that it may be accessed faster at a later date.

Client-side is a term used in web development. Client-side code executes within a user's web browser and can be altered and modified by users.

An attack that introduces malicious code into a software application and then executes the code when the application is opened. Examples include SQL injection, which can compromise or modify information in a database, and cross-site scripting (XSS) which can allow hackers to hijack user accounts or display fraudulent content.

The act of producing or altering code in order to make it difficult for humans to read. Code is obfuscated to conceal its purpose in order to prevent analysis, tampering or reverse engineering.

A device used to coordinate the actions of other devices in a botnet or which are infected by a rootkit, worm or other forms of malware. Also known as a C&C server.

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.

Malicious instructions (script) are injected into otherwise innocent and trusted web sites, allowing the attacker to modify the web page to suit the attacker's objectives. For example extracting data, bypassing other security controls or delivering malicious code for the browser to execute on the user’s computer.

There are several types of cross-site scripting attacks, including:

• reflected - a basic XSS attack that sends scripts that are immediately parsed by the site without first checking their legitimacy these are primarily delivered via email
• persistent - also known as a stored XSS attack, a persistent attack occurs when the scripts are saved by the user, resulting in them being permanently displayed on any normal website
• mutated - an XSS attack that uses apparently legitimate script that have in fact been modified - mutated attacks can be very difficult to detect or sanitise

An attack that uses unauthorised commands from trusted users in order to perform malicious actions on a targeted website.

A cryptocurrency (AKA crypto-currency) is a digital asset that is designed to act as an exchange medium. They use cryptography to verify and secure transactions, control the creation of new assets and protect the identity of asset holders. Popular cryptocurrencies include:

• Bitcoin
• Ethereum
• Monero

Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it.

Modern cryptography is the central mechanism for achieving the following four security objectives:

• confidentiality
• integrity
• non-repudiation
• authentication

See Common Vulnerabilities and Exposures.

See Common Vulnerability Scoring System.

Prefix for internet and computing terms based on existing concepts, such as:

• cyber-security
• cyber-criminal
• cyber-terrorism

A collection of thousands of websites which are not indexed by conventional search engines. They often use anonymity tools, like the Tor network, to hide their IP address and preserve the anonymity of the creators and visitors.

The anonymity (also known as the dark net) provided can be used for both good and bad causes, including protecting communications made by subjects of oppressive regimes or protecting the identity of criminals.  

A symmetric-key encryption algorithm created in 1975. DES has several well-publicised vulnerabilities and has been has been withdrawn for use by the National Institute of Standards and Technology (NIST). The AES algorithm has superseded DES in most cases.

See Distributed Denial-of-Service.

The process of transforming encrypted data back into a state in which it is usable by the system.

A tool, also known as a decrypter, used to decrypt previously encrypted data, typically that which has been encrypted by a ransomware tool. Several well-known security and anti-malware vendors produce their own free decrypters, which can be found on the No More Ransom website.

A demilitarised zone (DMZ) is a physical or logical network used to separate an internal network from other, untrusted networks. Services and resources such as mail and FTP servers are contained within the DMZ in order to be accessible from external networks, such as the internet, but the rest of the internal network is unreachable. 

An attack where an attempt is made to flood a network, server or website with so much data to make it unusable.

Technically, DoS refers to an attack involving a single source which can easily be blocked. However, DoS is often used to describe all denial-of-service attacks including DDoS and other attacks which affect availability.

A deny list, known in some places as a blacklist, refers to a list of untrusted resources or destinations that a user or application may not access.

See Data Encryption Standard.

See Domain Generation Algorithm.

A system feature that allows certain computer hardware subsystems access to main system RAM without involving the central processing unit .

A directory traversal attack attempts to gain unauthorised access to the file system. It involves passing characters into software that move file operations to the parent directory, with '../' being the most common sequence.

This is also known as a path traversal attack, a directory climbing attack or a backtracking attack.

A coordinated attack in which a botnet of multiple connected machines (usually infected with malware or otherwise compromised to co-opt them into the attack) flood a network, server or website with so much data to make it unusable. As multiple sources are involved this attack is much harder to block.

See Dynamic-link Library.

See Direct Memory Access.

See Demilitarised Zone.

A Denial of Service (DoS) attack where an adversary sends a malicious Domain Name Service (DNS) request to a DNS server that fools the server into responding instead to the victim of the attack. The origin of the attack is concealed from the victim.

The Domain Name System (DNS) did not include any security features as the priority was for the design to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to address the security weaknesses while maintaining backward compatibility.

Essentially, DNSSEC adds authentication to DNS to make the system more secure. 

A Domain Name Service (DNS) Server translates a domain name (which is easy for humans to remember such as www.nhs.net) into its corresponding IP address used by computers to route the traffic to the correct destination. Both public (open) and private DNS servers can be implemented.

See DNS Security Extensions.

Domain generation algorithms (DGA) are algorithms that periodically generate large numbers of unique domain names for use as rendezvous points for command and control (C2) servers. This makes it extremely difficult to prevent malware from communicating with their C2 network.

See Denial-of-Service.

A tool used to download and install another payload on a target system. Typically used as the first stage for an infection.

A download which a user is not aware of or has not consented to. Commonly used to refer to malware downloaded from compromised legitimate websites.

A trojan that is used to install another payload on a target system.

The duration (usually in days) that a vulnerability or infection remains undetected within a network or environment. It can also be defined as the time between detection and remediation, or even total time from infection to remediation.

A dynamic-link library is a Microsoft implementation of the shared-file format that contains code and date used by more than one program.

A method to scramble a message, file or other data and turn it into a secret code using an algorithm (complex mathematical formula). The code can only be read using a key or other piece of information (such as a password) which can decrypt the code.

Technologies, software and strategies for securing devices such as laptops, mobile phones, tablets, workstations and servers that connect to a network. The devices are known as endpoints.

Any means of combining a compressed executable file with the decompression code and packaging the resulting data into a single executable file. Applications that perform this are known as executable compressors, runtime packers or software protectors. 

Unauthorised transferal or copying of data from a system. It is also referred to as data theft or extraction.

An exploit kit is software designed to run covertly on web servers with the purpose of identifying software vulnerabilities in the devices of victims visiting the website. The vulnerabilities are exploited to download and execute malicious code on the victim’s machine.

Exploit kits are usually sold on the dark web and are frequently used by attackers to distribute malware such as ransomware.

File hashes are a unique value produced by running a hash algorithm against a file. Anti-malware researchers publish malware hash value details as indicators of compromise.

If a file hash value for a file on a victim’s system matches one of the published hashes then the malware is present and can be identified. There is a very small possibility that two files could have the same hash value, this is called ‘hash collision’.

The File Transfer Protocol (IETF RFC 114, 765, 959, 1579, 2228 and 2428) is a client-server network-layer protocol for transferring files across a network over TCP port 21. Created in 1971, it has proven to be a popular method for sending files.

FTP was developed at a time when security was not considered when designing protocols. Data transmitted using FTP is not encrypted and can be intercepted by an attacker with access to the network. It's also vulnerable to several attacks including brute-forcing, spoofing or FTP bounce attacks.

File Transfer Protocol Secure (IETF RFC 2228 and 4217), known as FTPS, is an extension for FTP that uses Transport Layer Security to encrypt data.

This term is used to describe a process that exists exclusively in volatile system memory (such as RAM). File-less processes do not write any part of their activity to disk, making them difficult to detect with anti-virus products or computer forensic techniques.

As they are designed to operate in-memory, file-less processes can be terminated by rebooting the system.

A security system that monitors and controls traffic between an internal network (trusted to be secure) and an external network (not trusted). It is generally considered insufficient against modern cyber threats.

See File Transfer Protocol.

See File Transfer Protocol Secure.

See General Data Protection Regulation.

The General Data Protection Regulation (GDPR) 2016/679 is a European Union regulation covering data protection and individual privacy rights. It was introduced in April 2018 and enforced on 25th May 2018.

GitHub is an internet-based hosting and version-control service primarily used for computer code. As of 2017, it is the world's largest repository of source code.

A hacker is a computer and networking attacker who systematically attempts to penetrate a computer system or network using tools and attack methodologies to find and exploit security vulnerabilities.

Security professionals called penetration testers use the same tools and techniques as hackers to identify vulnerabilities so they can be remediated before they are exploited by hackers.

Computer or internet hacking activities motivated by social or political reasons, for example the Anonymous group. There is disagreement over whether hacktivists are heroes or criminals, but any form of unauthorised computer access is however illegal.

The product of passing an arbitrary amount of data through a cryptographic hashing function. Hashes typically have a fixed length and are unique to the original data. Common hashing functions include:

• MD5 - 128-bit hash value - 32 character string
• SHA1 - 160-bit hash value - 40 character string
• SHA256 - 256-bit hash value - 64 character string

HIDDEN COBRA are an advanced persistent threat (APT) group believed to be either a part of the Democratic People's Republic of Korea's (DPRK or North Korea) armed forces or operating with their complicit support. Alternative names for the group include the Lazarus Group, Guardians of Peace, NICKEL ACADEMY and ZINC.

They target governmental, telecommunications, engineering and finance organisations as well as critical infrastructure throughout Asia, Europe and the USA.

Several high-profile attacks have been attributed to them, including the:

• 2014 Sony Pictures attack
• 2016 Bangladesh Bank attack
• 2017 WannaCry ransomware attack

All operating systems (Windows, Linux and macOS) use a hosts file as a first point of call to map a hostname (or URI) to an IP address.

Using a hosts file it is possible to route traffic to a different IP address than it’s DNS entry. 

See Hypertext Transfer Protocol.

See Hypertext Transfer Protocol Secure.

Originally developed in 1989, the Hypertext Transfer Protocol (IETF RFC 2068, 2616 and 7230) is a client-server application-layer protocol for distributed information systems and is the basic protocol used by the internet.

Data sent between a client and server over HTTP is not encrypted and could be intercepted and tampered with by a man-in-the-middle attacker.

Hypertext Transfer Protocol Secure (IETF RFC 2818), also known as HTTPS, is an extension for HTTP for secure communications. HTTPS use transport layer security to authenticate and encrypt HTTP traffic. As of 2018, HTTPS accounts for more traffic than HTTP.

Manages the creation and execution of virtual machines on a host computer system.

See Intrusion Detection System.

See Inline Frame.

The first steps in dealing with an attack or threat is to identify its occurrence. This can include network monitoring, behavioural analytics and other ways to detect malicious or abnormal behaviour or traffic.

An organisation’s structure for managing, mitigating and resolving security incidents (such as breaches). This involves people, processes and technology.

Pieces of forensic data which indicate computer or network compromise that can assist in identifying potentially malicious activity on a system or network.

Threats such as a specific variant or malware have specific IoCs which can be used to identify the variant of malware you are infected with. For example, certain files are created or altered in a certain way and perhaps within a specific location, an IP address may be contacted.

An IFrame (inline Frame) is an HTML document embedded inside another HTMLdocument on a website. The iFrame HTML element is often used to insert content from another source, such as an advertisement, into a web page.

A numerical label assigned to each device in a network. The IP address identifies each computer using the internet protocol to communicate over a network.

An application layer protocol used for text communications in a client/server network. Created in 1988, IRC (IETF RFC 1459) is typically unsecured and has several well-documented vulnerabilities.

The network of devices and objects that can connect to the Internet. This includes devices such as smartphones, tablets, laptops and servers, but also is starting to extend to transport, buildings and household items like doorbells, thermostats, lightbulbs and toys.

In a healthcare setting this can also include examples such as patient monitoring and asset tracking. This represents a major security challenge as any device can potentially be a target or conduit for an attack and remediation will be difficult to implement.

An intrusion detection system is a hardware or software tool that monitors a network or system for malicious activity. There are two distinct types of IDS:

• Network-based intrusion detection system (NIDS) - NIDS are placed strategically within a network to monitor all traffic passing through and between devices on the network.
• Host-based intrusion detection system (HIDS) - HIDS are placed on individual devices within a network and monitor all inbound and outbound traffic to the device.

An IDS that is able to respond to threats is known as an intrusion prevention system (IPS).

See Indicators of Compromise.

See Internet of Things.

An IP address (Internet Protocol Address) is a label assigned to computer devices.

An IP address is essential for Internet Protocol communication.

IP addresses can be represented as an IPv4 address (example: 192.168.0.1) or an IPv6 address (example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334). 

See Internet Relay Chat.

JavaScript is commonly used on web applications. JavaScript is a client-side script that executes in a browser window.

There are many uses for JavaScript, from altering the user's view to enhance their browsing experience, to loading images and text.

JavaScript can also be used by attackers to log keystrokes and download malicious payloads. 

Key generators, often referred to as keygens, are tools designed to generate legitimate software activation keys. 

Keylogging, also known as keystroke logging or keyboard capture, is the action of recording, often secretly, the keys struck on a keyboard. An application used to perform keylogging is called a keylogger.

Keyloggers are typically used to gain access to sensitive information or credentials, and are most commonly seen in spyware or banking trojans.

This is a military-inspired term to describe the steps of a malware attack:

• reconnaissance
• weaponisation
• delivery
• exploitation
• installation
• command and control
• action

It can also be used to describe the steps taken to recover from an attack:

• preparation
• identification
• containment
• eradication
• recovery
• lessons learned

See Lightweight Directory Access Protocol.

Lightweight Directory Access Protocol (IETF RFC 4511) is an open-source application protocol used to access and maintain directory services across an IP network. By default, LDAP traffic uses TCP/UDP port 389.

The practice of using legitimate commercial-off-the-shelf or pre-installed tools as part of the infection chain.

Log files are files that record events and relevant messages generated by a system or application.

See Malware-as-a-Service.

A media access control (MAC, IEEE 802) address is a unique identifier assigned to a device's network interface controller. Typically stored in some form or read-only memory, MAC addresses are also known as hardware or physical addresses.

In cyber security, this refers to artificial-intelligence techniques for helping computers adapt to evolving threats. It is useful for understanding large amounts of data, user behaviour or detecting anomalies in networks.

Malvertising is the act of inserting malicious advertisements into otherwise legitimate webpages or advertising networks.

Malware is  malicious or hostile software used to disrupt, damage or compromise a computer system or network. It is often embedded in non-malicious files or programs and often includes:

• computer viruses
• worms
• ransomware
• spyware

Malware usually consists of a downloader which downloads a payload (from a command and control server) that contains the malicious code which attacks a target.

Authors of malicious software selling malware as a cloud-based service, similar to the wider legitimate IT industry.

For example, users can purchase spam campaigns from email botnets, rent ransomware kits and offer a portion of the payments to the operators or buy tailored information from a banking trojan. 

An attack method where the attacker is able to intercept messages passing between two victims and inject new ones without the victims being aware. Encryption tools can defend against an attack.

Also known as the Master Partition Table (MPT), it is the first sector on a disk and contains the code used to execute the operating system as well as the location of all partitions on the drive. MBR can work with both BIOS or UEFI firmware but cannot address disks larger than 2TB. It can be replaced by the GUID Partition Table (GPT) on UEFI firmware devices.

See Master Boot Record.

Miners, also known as cryptocurrency miners or cryptominers, are a form of malware that uses the resources of an infected device to generate units of a cryptocurrency.

See Man-in-the-Middle.

Monero is a privacy-focused open-source cryptocurrency. It differs from other cryptocurrencies such as Bitcoin in that all Monero transactions are anonymised. This anonymity, as well as the ability to comfortably mine on CPU resources alone, make Monero a popular choice for cybercriminals.

Network Basic Input/Output System, or NetBIOS, is a session-layer application programming interface used to allow applications on separate devices to communicate over a local area network. NetBIOS uses ports 137 (TCP/UDP), 138 (UDP) and 139 (TCP).

The act of collecting information on a targeted network for use in later attacks.

Establishing, centralising and standardising threat detection and incident response procedures. It includes automation and integration of different security workflows, technologies and tools.

See Peer to Peer.

See executable compression.

Patch management covers acquiring, testing and installing multiple patches (manufacturer released code changes) to a computer system or application. Firmware and software vendors release patches to fix defects, change functionality and to address known security vulnerabilities.

See Patch Management.

The payload is the component of an exploit or malware that performs malicious activity.

A method of distributing tasks or work load between peer nodes without being managed by a central controller. All peer nodes have the same privileges and priority and are said to form a peer-to-peer network of nodes.

Techniques for actively testing an organisation’s computer or network security. This is usually performed by identifying potential vulnerabilities and weak spots and trying to exploit those and/or break in so these weak spots/vulnerabilities can be resolved before they can be exploited by an attacker.

See Pretty Good Privacy.

Phishing is a type of fraud in which the attacker attempts to steal sensitive data such as passwords or credit card numbers, via social engineering. Phishing can be performed via:

• email
• phone calls
• instant messaging
• other communication channels

See Proof of Concept.

Property of an application or process that is able to alter its identifiable characteristics such as name, encryption keys or filesize in order to prevent or hinder signature-based detection. Approximately 97% of known malware families employ some polymorphic capabilities.

A pop-under is a form of creating a new browser window. This is designed to be undetectable user and typically will not interrupt the users browsing session. It is common for pop-unders to display no information.

Pop-unders are used to run scripts, usually unbeknown to the users. These scripts are not necessarily malicious, but there is very little justification for a web application to do this.

A pop-up or pop-over is a form of online advertising that creates a new browser window. This new browser window appears in front of the current browser window.

Pop-ups can be created through clicking on a link or automatically by the web site. 

A potentially unwanted program, also known as a potentially unwanted application (PUA), is usually downloaded alongside legitimate software without the user being aware and is mainly spyware or adware.

The user has inadvertently agreed to install the PUP by agreeing to the terms when downloading the legitimate software which differentiates it from malware. Most anti-malware tools will alert the user if PUP is discovered.

Pretty Good Privacy (PGP RFC1991) is an encryption standard developed in 1991 to encrypt most file-types, including text, emails, file directories and disk partitions. It is considered to be one of the most secure publicly available encryption standards and it is most often used in it's open licence form OpenPGP (RF4880).

Privilege escalation exploits a bug, design flaw or misconfiguration in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

An application with more privileges than intended by the developer or system administrator can perform unauthorised actions.

Credentials within an organisation that allow a user elevated access to operating systems, network devices and key IT infrastructure. A popular target for hackers and malicious insiders.

Process hollowing is a anti-detection technique in which a legitimate process is loaded to act as a container for malicious code. It can also be referred to as memory hollowing.

A proof of concept demonstrates how a system can be protected or compromised without building a complete working model.

See Potentially Unwanted Program.

A play on ‘owned’. Describes the act of attacking and ‘owning’ (gaining control of) a device, system or website which can then be bent to the attackers will, such as obtaining sensitive information like usernames and passwords.

A type of malware that prevents access to the target’s computer system or data until a ransom is paid to the attacker.

Different variants of ransomware can encrypt files, full disks or system configurations to prevent access and hold the user to ransom until a decryption key is paid for (usually by Bitcoin).

Anti-malware suppliers work to publish decryption tools. It is not recommended to pay any ransom demands and organisations should implement backup and recovery strategies to enable recovery from ransomware.   

See Remote Access Trojan.

See Remote Code Execution.

Activities undertaken by an organisation to limit or stop an attack, often as part of incident response. Remediation includes blocking malicious IP addresses, removing infected files or devices and restoring affected systems to a known good state.

Software that allows a remote user to control a system. It can also be referred to as a remote administration tool.

Legitimate implementations are common but RAT software can also be used for malicious activity. The malicious RAT software is typically installed by a trojan without the victim's knowledge and will try to hide its operation from the victim and from security software.

The ability to execute arbitrary commands issued from one device on another device. It is ypically used to refer to execution over a wide-area network, such as the internet.

Remote Procedure Call is a transport and application layer protocol that allows an application to request services from another application running on a separate networked device.

RPC uses TCP/UDP ports 80, 135, 443, 445 and 593. Port 135 is assigned to the endpoint mapper, used to identify connected devices and the port they are using, and is subject to several well-known vulnerabilities.

The ability of an organisation to manage cybersecurity incidents, recover from failure or damage and keep running continuously despite growing threats.

Unauthorised hardware that is connected to or near an organisation’s wireless network. The device can be used to gain access to sensitive data, send it back to an adversary or connect other devices to a network.

A rootkit is a type of malicious software which is executed before your computer's operating system has completed boot up - each time your computer boots up the rootkit is executed.

Rootkits are difficult to detect and may not be detected by AV software, which loads after the operating system has booted up. Many AV vendors’ products now include boot up scans and rootkit detection.

See Remote Procedure Call.

RunPE (short for Run Portable Executable) is a popular technique for disguising malicious programs behind legitimate applications. When a malicious program starts it will begin a new instance of a Windows process but in a suspended state; it will then overwrite that process's memory with its own code. The process is then resumed, but it now runs the malicious code instead.

A derogatory term for somebody who uses published exploits (also known as commodity attacks) rather than having the skill to develop their own.

Manipulating the unpaid results of a web search engine's results in order to increase the visibility of a certain result. Fraudulent SEO will attempt to direct users to malicious sites by making them appear to be more legitimate.

Secure Shell, also known as SSH, is a cryptographic network protocol used to securely run network services over insecure connections, typically using TCP port 22. The following IETF RFCs relate to SSH:

• RFC 4250
• RFC 4251
• RFC 4252
• RFC 4253
• RFC 4254
• RFC 4255
• RFC 4256
• RFC 4335
• RFC 4344
• RFC 4345

A protocol for transmitting private information across the internet. SSL uses an encryption system that uses two keys to encrypt data − a public key and a private (secret) key known only to the recipient of the message. SSL 1.0, 2.0 and 3.0 have been implemented. SSL has been superseded by TLS. The term SSL is however commonly used to refer to both SSL and TLS collectively.

A security incident that results in unauthorised access to data, applications, services, networks and/or devices by bypassing underlying security mechanisms.

A security breach could affect confidentiality, integrity or availability.

A security event is a change in the everyday operations of a network, service or device indicating that a security policy may have been violated or a security safeguard may have failed.

In the field of information security, SIEM is used to provide real-time analysis of security events and alerts generated by network hardware, operating system and applications.

SIEM solutions are generally used to consolidate logs from multiple ICT assets and syslog servers into one system. Anomalies and security events/alerts can be detected across an ICT estate in real time, which can then be investigated and responded to by security analysts.

See Search Engine Optimisation.

Server Message Block (SMB, also known as Common Internet File System, CIFS) is an application-layer networking protocol used for sharing access to files, devices or other miscellaneous communications between nodes on a network over TCP ports 139 and 445. It is primarily used by the Windows operating system, with several open-source implementations such as Samba available for other operating systems.

See SSH File Transfer Protocol - SFTP (Secure File Transfer Protocol).

Shodan is a search engine used to find publicly accessible internet-connected devices, including servers, IoT devices, security systems and home computers. Searches can be run that target specific device groups, with more detailed results being returned if a user has an API key.

Primarily a penetration testing tool, Shodan can easily be used by an attacker to find vulnerable devices for further exploitation.

Any attack that leverages information gained from a system's operation, such as power consumption, sound, computation timings or electromagnetic leaks, instead of from vulnerabilities in the system itself.

See Security Information and Event Management.

SNMP allows devices connected to a network to share information about their current state for network monitoring purposes and also provides a channel through which an administrator can modify pre-defined values.

To provide a degree of security, SNMP Community strings that work in a similar way to a password are transmitted to a device with any command string to authenticate its execution. 

Originally known as Simple Object Access Protocol, SOAP is a messaging-layer protocol used to provide access to web services. SOAP uses other application-layer protocol such as HTTPS for transmission.

A DNS sinkhole, also known as a sinkhole server, internet sinkhole, or blackhole DNS is a DNS server that gives out false information to prevent the use of a domain name.

Term typically used to define offices of up to 20 employees.

See Server Message Block.

A type of phishing attack that uses SMS messages (or other types instead of mobile messaging such as MMS or IM services) instead of email messages.

See Simple Network Management Protocol.

See Simple Object Access Protocol.

An attack method that tricks people into breaking normal security procedures by masquerading as a reputable entity or person in email, IM or other communication channels.

Social engineers try to trick victims into disclosing sensitive information or by allowing or doing something which compromises security, such as allowing physical access to a secure area or a user executing a malicious executable at the social engineers request.

Socket Secure (SOCKS) is an internet protocol that exchanges network packets between a client and server through a proxy server.

See Socket Secure.

See Small Office Home Office.

Unwanted and unsolicited bulk email. The email messages may be commercial by nature but can also contain disguised links that appear to be for familiar websites but lead to phishing websites or sites that are hosting malware.

Spam email may also include malware as scripts or other executable file attachments.

Spear phishing is a type of fraud whereby a phishing attempt is targeted against specific individuals or organisations. Attackers attempts to steal sensitive data such as passwords or credit card numbers, via social engineering. Attackers may gather personal information about their target to increase their probability of success. It is often used as part of reconnaissance activity by a hacker.

Spear phishing can be performed via email, phone calls, IM or other communication channels.

An attacker or program successfully masquerades as another by falsifying data for malicious reasons. Spoofing an email address to fool a recipients or an attacker spoofing their IP or hardware (mac) address in a man-in-the-middle attack are well known attack examples.

Software that gathers information about a person or organisation without their knowledge. The information may be sent to a remote destination and is usually used for malicious purposes.

See Secure Shell.

SSH File Transfer Protocol (IETF RFC 4251), also known as Secure File Transfer Protocol or SFTP, is a network protocol for remote access, transferal and management of files. It is an extension to the SSH 2.0 protocol.

See Secure Sockets Layer.

The practice of concealing a file, message, image, or video within another file, message, image, or video.

Subresource integrity is a feature that enables a web browser to verify that a fetched file corresponds to an expected hash value.

This describes an approach to analysing an adversary or threat with the intention of profiling their actions. Understanding the TTPs used by a threat provides a means to predict, detect and react to their actions with greater accuracy.

Telnet (IETF RFC 15 & 854), developed in 1969, is an interactive text-based client-server communication protocol. Typically used with a command-line interface to remotely access devices over TCP port 23, Telnet clients are available for almost all operating systems and platforms. However, Telnet was designed at a time when most computer devices were connected on local networks only and every user who connected was trusted, as such it is inherently insecure.

By default, Telnet connections are unencrypted, with all data transmitted as plaintext, meaning it is possible for any threat actor with access to the network between the Telnet hosts to intercept all traffic sent between them. This data could then be used by the actor for future attacks.

Most Telnet implementations will also not authenticate hosts to ensure communications are sent to the intended recipient.

See Trivial File Transfer Protocol.

The potential cause of an incident that could result in harm to systems and the organisation. Threats lead to the compromise of security.

Individuals or groups of people which express or pose a threat to your organisation, including hackers and internal employees (such as disgruntled, unskilled or overworked employees).

Methods for identifying system vulnerabilities and hacking behaviours. These can include a number of software and hardware technologies, such as machine learning, statistical modelling and network and web monitoring.

See Transport Layer Security.

See The Onion Router.

Open-source network software that disguises a user’s identity and location by encrypting data and routing traffic around an intercontinental network of servers run by volunteers. Often used by sites on the dark web, among others.

A torrent file usually contains a film, music or application downloaded in individual parts from multiple peers to increase the download speed. There are legal implications if copyrighted material is distributed using this method.

Transport Layer Security (TLS) is a family of cryptographic protocols intended to secure network communications sent between devices. It was first proposed in 1999 as a replacement for the Secure Sockets Layer protocol and has become the de-facto standard for web communications.

TLS has undergone several updates to add new capabilities and address vulnerabilities in the protocol. Please see below for a list of published protocols.

• TLS 1.0 - IETF RFC2246 - Released January 1999 - Deprecated in March 2020
• TLS 1.1 - IETF RFC4346 - Released April 2006
• TLS 1.2 - IETF RFC5246 - Released August 2008
• TLS 1.3 - IETF RFC8446 - Released August 2018

Triple Data Encryption Algorithm IEEE RFC1851 (3DEA, 3DES or Triple DES) is a symmetric-key encryption algorithm. It has been superseded by the AES algorithm.

Software that allows file transfers to a remote host, but does not support modern authentication methods and is vulnerable to attack if not protected by implementing security policies in the environment around it.

Named after the trojan horse from Greek mythology, a trojan is a type of malware that is often disguised as legitimate software, which tricks a user into installing it. Trojans usually have a payload of other malware and some open a backdoor that allows an attacker access to the victim's machine.

See Tactics, Techniques and Procedures.

See User Account Control.

A type of memory corruption vulnerability that arises when an attempt to access previously freed memory (memory that has been de-allocated from any process) is made. This can cause the application attempting to access the memory to crash or to behave unexpectedly, or it may lead to corruption of data used the said application.

UAC is a technology introduced by Microsoft, from Windows Vista onwards, to help prevent malware. An application is granted standard user privileges regardless of whether it has been launched by a standard user or a user with full administrator privileges.

If a trusted application requires administrative privileges, an administrator must grant the application elevated privileges to complete the task.

The act of reviewing a single piece of data to determine whether the data is correct. Any verification that grants access can be considered authentication.

Virtual machines (VMs) are individual, isolated computing environments that can share the hardware resources of a single host computer system.

VMs can be used to run multiple operating systems on the same computer at the same time, with each including their own applications and data.

A VPN is a method of hosting a private network across public infrastructure or the internet. End-to-end encryption and additional security measures are implemented to protect the traffic.

A malware that can make changes, corrupt or delete data on a computer. A virus needs user interaction to trigger it.

See Virtual Machine.

Volume Shadow Copy (also known as Shadow Copy, Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a proprietary Microsoft technology, included in their Window operating system, for creating and managing backup copies of files or volumes even when they are in use.

See Virtual Private Network.

A vulnerability is a weakness which allows an attacker to compromise security (integrity, confidentiality or availability).

Software program that automatically finds, assesses and reports vulnerabilities and weaknesses in a computer system, network or application. This is a popular form of threat detection.

A watering hole attack (also referred to as a strategic web compromise) is a type of attack strategy that targets a particular group of users. An attacker compromises a website commonly used by the target group with the assumption that group members are infected as they visit the site.

The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.

A sophisticated phishing attacks in which senior ranking members of staff are targeted in an organisation by content crafted differently from a standard phishing attack.

We're now using the term 'allow list' instead of 'whitelist'. The National Cyber Security Centre (NCSC) have written a blog that helps to explain this change.

A wiper is a software tool used to erase information on computer hard drives.

A type of malware that is standalone and spreads to other machines by replicating itself. The replication rapidly consumes storage and creates performance issues. Worms are triggered without user interaction and are capable of targeted attacks. Worms can be used to distribute and drop other malware such as ransomware.

See Web Proxy Auto-Discovery Protocol.

The X-Forwarded-For (XFF) HTTP Header field is used to identify the original IP address of a client machine connecting to a server through a proxy server or load balancer.

See X-Forwarded-For Header.

See Cross Site Scripting.

Attacks that exploit a vulnerability in software that is unknown to the vendor and has no remediation available. This type of threat is particularly difficult to detect and defend against. The name refers to a vendor or organisation having no time to fix the vulnerability prior to attack. Can also be written as '0-day attack'.