The topic of cybersecurity is much like an iceberg — the basics are generally known, but more detail and complexity lie beneath the surface. People generally know that they should not click on phishing emails, but when it comes to understanding the malware that those emails are trying to dump on their computers, the complexity of the situation skyrockets.
Combine this with advanced technology like AI and/or just simply looking into the back end of a computer, and many people will throw up their hands in defeat and say, “I don’t get it.” While not everyone needs to know everything about the ins and outs of cybersecurity, we believe it’s important that everyone has a basic foundation of its key parts to help protect them from accidentally opening up a backdoor for attacks.
What common terms are used in cybersecurity terminology?
Cybersecurity terminology is full of acronyms and jargon. Knowing some ground floor terms can help make sense of the tangle of technical words.
APT (Advanced Persistent Threat)
This is an attack in which unauthorized entities (typically a nation-state or state-sponsored group) gain access to an organization through either malware or phishing, and that once inside, have access to files, emails, assets and data. What makes an APT different from many other attacks is that this type of attack is intended to be both stealthy and remain effective in the environment for long periods of time. If left undetected for weeks, months or even years, attackers can gain a significant amount of data on a company to use for malicious purposes.
CIA
An acronym for confidentiality, integrity and availability, the CIA triad is a concept used by cybersecurity professionals to model and prioritize their efforts. It manages the tug of war between keeping data intact, untouched and ready for use for those who need it while preventing unauthorized user access.
Cloud
The Cloud is, at its core, the virtual storage and processing place of data. Cloud computing is the delivery of that data from storage to the user. Cloud security is the protection of data, servers, etc. stored in virtual and remote locations from theft, alteration and unauthorized access.
DDoS (Distributed Denial-of-Service)
DDoS is an attack that attempts to disrupt the normal traffic of a server, service or network by flooding it with increased traffic from multiple sources to ultimately crash or stall it. Often, this is carried out through control of malware infected devices around the Internet and controlled by a group who rents out this “bot herd” to people who wish to use it to perform this kind of attack.
Identity and Access Management (IAM)
IAM is a set of policies, processes and tools an organization uses to match people with access levels in regard to company assets, data and technical resources. This can involve authorizing and authenticating identities to access both software and hardware and can be applied to employees and customers.
Incident vs Event vs Alert
A security event refers to the security-impacting activity that occurred. Alerts are the notifications — often found in logs or derived from analysis and a correlation of logs — a system sends to inform IT and IS teams of the event. Incidents are high-impact security events that have a significant negative impact on a business as a whole and require significant effort to identify, mitigate and remediate. An event may be irregular and/or minor but does not seriously impact a business, or an event could be highly disruptive and possibly cause a loss of revenue, making it an incident.
Incident Response (IR)
Incident Response occurs when an incident has been identified and must be addressed. Often times incident response requires a specialized team to resolve and can include both technical and business-level activities. The goal of IR is to reduce costs and damage caused by the attack. Identifying the cause of the attack is key in IR as it helps prepare a system to defend itself from similar attacks in the future.
Incident Response Plan (IRP)
An Incident Response Plan refers to the set of policies and actions taken to limit, respond and manage a security incident. This plan may be limited to technical activities and resources, but more mature plans also take into account legal, compliance and public relations concerns and requirements.
Insider Threat
An insider threat is a security risk that comes from inside an organization, either from current or former employees, consultants, partners or board members. An insider threat is classified as such when deliberate action is taken by an individual to do harm to their organization. Accidental policy violations are not considered insider threats.
Machine Learning
Machine learning is the use of artificial intelligence (AI) to help security systems process vast amounts of data and learn from that data. Machine learning involves access to large quantities of data — often far more than the 90 days worth of security logs held in SIEM systems — and advanced mathematical theory employed by data scientists and other professionals. This is a very advanced toolset used in security, and it looks for the patterns and outliers that identify security issues not readily visible through other tools or by other professionals, such as threat hunters. Patterns can be identified and defenses can be put up across the security infrastructure for more proactive threat prevention.
