Your A to Z Guide for Cybersecurity Terms
Professional organization that maintains standard controls & guidance for independent audits.
The AICPA or American Institute of Certified Public Accountants is a group headquartered right here in beautiful Durham, North Carolina.
You may ask yourself, what do accountants have to do with cybersecurity? The AICPA publishes the standards used by auditing firms to conduct System and Organization Controls reports for technology services firms – better known as SOC 2 audits. These audits can't be done by just anyone. The auditor must be accredited by AICPA. This ensures very high standards for tech firms wishing to receiving SOC 2 audit certification.
Advanced Persistent Threat (APT) groups are typically backed by or affiliated with governments that are adversarial to Western countries like the United States, and businesses or entities affiliated with the West. Many APT groups have a recognizable approach to their reconnaissance activities or their attack methods, prompting the FBI to come up with a list of over fifty named APT groups.
All APT groups are the most worrisome because they are highly skilled, methodical, well-funded, and have objectives that are sometimes very difficult to determine because they are often acting on behalf of a government. APT 10 often targets Managed Services Providers like Net Friends. This group alone keeps our Security Operation Center vigilant at all time.
Akira Ransomware is a double-extortion ransomware operation that emerged in March 2023, primarily targeting organizations in North America, Europe, and Australia. It exfiltrates sensitive data before encrypting files, threatening to leak the information if the ransom isn't paid. Akira targets large enterprises across various sectors, often gaining initial access via vulnerable VPNs or phishing. Ransom demands are typically high and negotiated through a dark web portal.
Learn More:
Suspicious activities on a network that could be a sign of a cyberattack.
BIOC stands for Behavioral Indicator of Compromise. These are identified as suspicious activities on a network that could be a sign of a cyberattack.
IOCs, Indicators of Compromise, have been around for decades. An IOC is a file or network transmission that is known to be a sign of a particular type of cyberattack. BIOCs were developed in response to newer, sophisticated malware that took pains to disguise its tracks. A BIOC looks for unusual activity, e.g., a solitaire program suddenly starts transmitting data to an IP address outside the US. The IP address and the program, separately, are not suspicious, but they become suspicious when one connects to the other.
This usually refers to a contingency plan that goes into play if critical systems go down.
"No plan survives contact with the enemy," and in BC/DR planning, testing is the enemy. A Disaster Recovery plan that hasn't been tested is of unknown value. When a system goes down to install vendor update patches, test its failover plan. Use tabletop exercises to simulate wider outages.
Report on an organization's readiness to protect the data in its custody from unauthorized use.
Cybersecurity assessments that don't follow a certified standard, such as SOC2 or ISO 27001, usually consider only the client's "logical controls," the policies and connections within its network infrastructure. High-quality cybersecurity assessments consider the client holistically. A thorough assessment will review the following:
Policy purchased to help reduce the financial risks of doing business online.
Cyber Insurance is a contract that the policyholder buys to reduce the financial risks of doing business online.
Any well-run business (1) in a high-risk industry, (2) with lots of sensitive records, or (3) has experienced an attack, is going to actively seek coverage to offset their risks. However, it's tough out there in Insurance-land! Insurance claims for ransomware attacks have skyrocketed in frequency and scale, significantly escalating year-over-year price increases. Here are a few key factors insurance companies will consider when assessing insurability:
DLP stands for Data Loss Prevention.
DLP is a suite of network monitoring tools and policies that block or alert when any user appears to be transferring sensitive personal or company information to an outside party.
Most of us encounter loss prevention systems daily – in the retail world. Security tags on goods, receipt verification, guards, and cameras are all examples of retail loss prevention, as are employee policies such as bag checks and cashier balancing. Data loss prevention uses technology, policies, and security personnel to do the same thing with data. Even small businesses have high-value files that need to be kept from walking out the door.
Used to scramble and unscramble data, altering it to appear random and block access.
The secret value that an encryption algorithm uses to regulate the encryption and decryption process. A key is an integer whose binary digit length serves as its definition. In general, more security is offered by keys with larger lengths.
An endpoint is anything that is the starting or ending point of any communication on a computer.
Simply put, any physical device that can be connected to a network.
Endpoint management is the practice of authenticating and supervising the access rights of endpoint devices to a network and applying security policies that prevent any external or internal threats posed by that access.
Recommended Reading:
The practice of authenticating and supervising the access rights of endpoint devices.
Endpoint management is the practice of authenticating and supervising the access rights of endpoint devices to a network and applying security policies that prevent any external or internal threats posed by that access.
Recommended Reading:
An intentional data breach.
"Exfiltration" has a James Bond sound to it, but it's just a fancy word for an intentional data breach. It occurs when a malicious actor or program exfiltrates, or transfers, confidential information to an unauthorized location. Exfiltration can be done by both internal and external parties, so preventing it requires a combination of DLP (Data Loss Prevention) and XDR monitoring (Extended Detection & Response), with emphasis on BIOCs.
A network security device that functions as a gatekeeper for network traffic access.
A firewall is a network security device that grants or rejects network access for traffic flow between an untrusted zone and a trusted zone. Firewalls are designed to perform port and protocol inspection, block unauthorized applications and data, recognize and preserve user identity, implement intrusion prevention, secure encrypted traffic, and detect and prevent advanced threats.
Also referred to as digital forensics or computer forensics.
Forensics is the application of investigative and specialized techniques to collect, preserve, process, and analyze data and computer-related evidence to support mitigation, criminal/fraud, counterintelligence, and/or law enforcement investigations.
Unauthorized attempts to exploit a private network or computer system.
Cyber hacking is the act of intentionally exploiting or compromising networks, digital devices, and computer systems without authorized access. The intent of these actions are often nefarious and a hacker will use varying tactics, such as vulnerability exploitations or social engineering, to gain unauthorized access, steal information, and/or disable operations for its victims.
A process that produces a numeric value or "hash value" to represents a set of data.
Hashing applies a mathematical algorithm against an arbitrary length of data to produce a fixed (often shorter) length numeric value or "hash value" to represent the original set of data. This process is applied to make it easier to find or use the original string of keys.
In cybersecurity, hashing is often used in encryption algorithms to enhance security. Hashed inputs are often futile to hackers who do not have decryption keys.
Stands for Information Security Office.
The ISO of an organization is the executive level above its SOC. The ISO decides what the organization's security standards and objectives are, handles regulatory compliance, makes decisions regarding risk mitigation, and represents the org's cybersecurity "interests" in discussions with other groups.
Interlock is a new ransomware group, active since late 2024, that targets Windows and Open-source Linux systems. It employs "double extortion," encrypting files and stealing data, threatening to leak it if the ransom isn't paid. They gain access via fake software updates and a social engineering tactic called "ClickFix," then use various tools for lateral movement and data exfiltration before encrypting.
A new twist on a briefly popular form of ransomware called "doxware."
In 2019, a new type of ransomware attack began to appear called leakware. A leakware attack differs from a standard ransomware attack in that encrypting the victim’s data is almost a secondary concern. The primary lever of extortion in leakware is to threaten to release the target’s confidential data, or that of its clients and partners.
The need for high-value data to use as extortion leverage is why the most frequent targets of leakware are organizations known to keep confidential data on behalf of their customers: hospitals, financial servicing, and law firms. Once the data is extracted, the ransomware attackers contact the clients, patients, and vendors of the target to encourage them to pressure the target to pay ransomware payments.
Recommended Reading:
LockBit Ransomware is a prominent ransomware-as-a-service (RaaS) operation active since 2019. It uses a double extortion method, encrypting victim data after stealing it and threatening to leak the information if the ransom isn't paid. LockBit targets a wide range of organizations globally, employing various initial access techniques and known for its fast, automated encryption and cross-platform capabilities (Windows, Linux, VMware ESXi). Despite law enforcement disruptions, it remains a significant cyber threat.
Learn More:
Maze Ransomware was a significant ransomware operation active known for pioneering the double extortion tactic. It targeted high-value organizations by first exfiltrating sensitive data and then encrypting systems, threatening to publish the stolen information if the ransom wasn't paid. Maze attacks were typically human-operated, sophisticated, and focused on Windows environments. The group announced its shutdown in late 2020, but its double extortion model influenced many subsequent ransomware variants.
Learn More:
Stands for Managed Detection & Response.
The need for high-value data to use as extortion leverage is why the most frequent targets of leakware are organizations known to keep confidential data on behalf of their customers: hospitals, financial servicing, and law firms. Once the data is extracted, the ransomware attackers contact the clients, patients, and vendors of the target to encourage them to pressure the target to pay ransomware payments.
Stands for Managed Security Service Provider.
MSSP stands for Managed Security Service Provider. Common MSSP services include reviewing network device logs for suspicious activity and managing security monitoring software on end user workstations.
Don't confuse MSSPs with MSPs (Managed Service Provider). MSPs primarily interact with customer employees to support their daily work. MSSPs typically interact only with a customer's executives and internal IT department on highly technical matters. The skill sets are very different. Although some companies have planted a flag in both camps – often by acquiring a smaller firm – don't assume that competence in one field will translate to the other.MSSP stands for Managed Security Service Provider. Common MSSP services include reviewing network device logs for suspicious activity and managing security monitoring software on end user workstations.
Stands for the National Institute of Standards and Technology at the U.S. Department of Commerce.
The National Institute of Standards and Technology at the U.S. Department of Commerce (or NIST for short) is a non-regulatory agency that promotes technology advancements, identifies and targets metrics, and instigates standards for cybersecurity.
The NIST Cybersecurity Framework is a leading compliance guideline that help U.S. businesses manage and reduce their cyber risks, protect their data, and secure their network infrastructure.
Software programmed on a computer system as initial boot program.
The initial software boot program loaded onto a computer system, which managed the computing resources and the flow of information into and from the main processor. It also manages memory, the input/output of peripheral devices, display controls, and networking, application, and file components.
Short for Penetration Testing or also known as "White Hat Hacking."
A pentest is a multi-day effort by a certified security analyst to test the defenses and vulnerabilities of a networked asset. At the end of the test, the analyst will compose a report on findings and deliver it to the customer, along with a set of recommendations to fix any detected problems.
Net Friends offers penetration testing, or "pentest" services, for our customers' network resources. Customers can order a pentest for a web application – such as an ordering interface – or for a server, whether on a LAN or exposed to the internet.
A socially engineered scam that prioritizes tricking a large quantity of its targets.
The messaging and format of phishing scams are often generic and sent to a large group of targets with the goal of increasing the chances of deceiving a victim. These attacks tend to skip personalization tactics to prioritize quantity.
Phishing attacks conducted by phone are called vishing or voice-phishing scams. When phishing attacks are conducted by text messages, this is known as a smishing or SMS-phishing scam.
Recommended Reading:
Physical security is integral to every organization's cybersecurity best practices.
As workforces become more technologically integrated, it is still vital to account for physical security risks in our everyday business practices. Physical security and cyber security often appear as separate concerns (and even separate departments within an organization). However, physical security breaches can lead to hacking exploits, and vice versa, where hacking breaches can cause physical threats to your business.
RansomHub is a Ransomware-as-a-Service (RaaS) group that emerged in early 2024. It operates by providing ransomware to affiliates who conduct attacks, often using double extortion (stealing data before encryption and threatening to leak it). The group has quickly become prominent, attracting affiliates from defunct ransomware operations and targeting various sectors
Learn More:
Malware that encrypts a victim's files for extortion. Simply put, it's data kidnapping.
Malware called ransomware encrypts files on a device, making any files that depend on them unusable. Ransom is then demanded in exchange for the decryption by malicious actors.
REvil was a prominent Ransomware-as-a-Service (RaaS) operation active mainly from 2019-2021. It targeted large organizations, employing "double extortion" by stealing data before encryption and threatening to leak it if the ransom wasn't paid. Known for high-profile attacks and demanding large ransoms, its operations were eventually disrupted by law enforcement.
Learn More:
Also known as Cybersecurity Assessment. Used to understand cyber strengths, weaknesses, and gaps.
An evaluation of a company's capacity to safeguard its data and IT infrastructure from cyber attacks. The key objectives of a cybersecurity risk assessment include the identification, evaluation, and prioritization of risks to information and information systems within your IT environment.
Risk assessments measure and evaluate an organization's cyber health against leading cybersecurity frameworks to identify and prioritize areas for improvement.
Recommended Reading:
Ryuk Ransomware is a highly targeted, human-operated ransomware that emerged in August 2018. It exclusively attacks large organizations and critical infrastructure, demanding substantial ransoms. Often delivered as a late-stage payload by malware like TrickBot or Emotet, Ryuk focuses on disrupting operations by encrypting critical Windows systems and deleting recovery options.
Learn More:
Stands for Security Information and Event Management
SIEM (or Security Information and Event Management) is a security solution that offers real-time monitoring and analysis to help organizations recognize potential security threats and vulnerabilities before they can disrupt the business operation.
SIEM focuses on surfacing user behavioral anomalies and leverages AI to automate manual processes associated with threat detection and incident response.
Stands for Security Operations Center. (SOC is pronounced "sock")
A Security Operations Center (SOC) is a centralized team of security analysts focused on proactive monitoring, incident response and recovery, and various remediation activities. SOC teams are increasingly distributed remotely, rather than concentrated in a single room or physical "center."
A SOC analyst's primary goal is to investigate indicators of compromise to determine exactly when, how, and even why a security attack was successful. This is known as root-cause analysis.
Stands for System and Organization Controls 2, Type I.
A SOC 2 Type I audit must be performed by a licensed CPA firm that specializes in Information Security. The AICPA (American Institute of CPAs) stipulates guidelines known as the Trust Services Criteria. The SOC 2 Type I report is a point-in-time attestation of controls at a service organization. While Type I confirms the service organization's system and the suitability of the design of controls, Type II tests the operating effectiveness of those controls.
Recommended Reading:
Stands for System and Organization Controls 2, Type II.
A SOC 2 Type II audit must be performed by a licensed CPA firm that specializes in Information Security. Audit guidelines are regulated by the AICPA (American Institute of CPAs). A SOC 2 Type II report will attest to a service organization's demonstration for the suitability of the design and operating effectiveness of controls in accordance with the following Trust Services Criteria:
Stands for SOC-as-a-Service. SOC is short for Security Operations Center.
This term scores high on the buzzword-meter, because it typically means nothing more than "outsourced SOC." Whereas many MSSPs position themselves to augment your internal SOC team with security analysts, an MSSP offering SOCaaS will take on all SOC duties as an all-inclusive service. The most significant "extra" measure you typically gain with SOCaaS is usually Incident Response.
A socially engineered phishing scam that leverages text messages.
A smishing, or SMS-phishing, attack is conducted over text message and seeks to deceive victims into exposing sensitive information. One of the best ways to stay vigilant is to avoid clicking on unknown URLs sent to your mobile device from unknown sources. Delete these text messages immediately and report it on your messaging app.
Cyber tactic that leverages psychology to manipulate people into surrendering confidential information.
Social engineering uses human psychology to “engineer” or manipulate people into surrendering confidential information and valuable assets. For example, instead of hackers attacking your network, they may pose as an IT support person to trick a staff member into revealing their credentials.
Social engineering attacks are rising, with Accenture Security reporting a 16% annual increase and noting that 85% of organizations now experience them. Cybercriminals seek passwords, passcodes, consumer data (such as social security numbers), financial data, or business secrets.
A socially engineered phishing scam that targets specific individuals or organizations.
The goal of spear phishing is to deceive a target into divulging sensitive information by leveraging highly individualized information. A spear phishing deception is often backed by in-depth research on a target so that the phishing email, text, or phone call appears personalized.
The act of identifying previously unknown or ongoing, non-remedied threats within a network.
Threat hunting is a proactive approach that often builds upon a hypothesis to pursue potential indicators of a compromise. It is not a "service," however threat hunting is best defined as a process that security analysts take to investigate alerts or discover vulnerabilities to identify a path to resolution, as required.
A multi-user and multi-tasking operating system (OS) originally developed in the 1970s.
UNIX is a modular operating system (OS) with a master control program, known as the kernel, with the capabilities to start and end programs, allocate memory, manage files, schedule tasks, and respond to system requests. Unix is credited for largely influencing the development of the internet and transforming computing into a network-centric system.
A patch, upgrade, or modification to code that corrects software security or functionality.
An update is applied in software development to patch, upgrade, or modify a code to improve and correct the security or functionality of a software program. The most common application for everyday computer users is the application of OS (operating system) upgrades.
Individual, device, or process that interacts with an information system.
A patch, upgrade, or modification to code that corrects software security or functionality.
Whaling is a form of social engineering, where senior or c-suite executives are targeted with phishing attacks. The high-profile status of the target makes them more valuable to exploit. Whaling attacks are successful at fooling high-level and sophisticated decision-makers, because the tactics are supported by a significant amount of target research.
A worm in computing is a self-replicating viral program that uses network mechanisms to spread itself.
From its namesake, a worm is an independent computer program that can self-propagate and self-replicate a complete working version of itself on other hosts within a network. A worm can destructively consume system resources as it spreads itself and infects other computers. This viral effect makes it a malicious program designed to harm a host network.
XDR stands for eXtended Detection & Response
XDR, short for extended detection and response, aims to eliminate standard security silos in order to execute detection and response across all data sources.
While EDR (endpoint detection & response) optimizes real-time threat detection, investigation, response, and hunting, XDR unifies multiple security products into a cohesive and cloud-native security operations system.
Zero Trust is governed by the principle to "never trust, always verify."
Zero Trust is a strategic approach to cybersecurity that eliminates implicit trust and continuously verifies every interaction with the digital system in order to secure an organization.
Zero trust threat prevention tactics typically leverage strong authentication methods, "least access" policies rooted in the Principle of Least Privilege (PoLP), micro-segmentation, and end-to-end access visibility.