Skip to main content

Advanced Persistent Threats - APTs

Deliberate, considered attacks on security by outsiders who are determined to gain access to a system. They will attempt a number of attacks to try and gain access, spending significant time to infiltrate a system.


Software that downloads or displays unwanted advertisements in the application being used. Adware can also collect data on which sites the user visits and sends this data back to the adware company to deliver targeted advertising to the user.

Allow list

An allow list, known in some places as a whitelist, is the opposite of a deny list. It is a list of trusted resources or destinations that a user or application can access. Allow listing is typically resource intensive, but is more secure than deny listing.

Anti-virus software

Designed to identify and remove computer viruses, other malware and spyware on a device or IT system. To be effective it should be kept up-to-date with the latest anti-virus signatures and definitions.

Arbitrary Code Execution - ACE

The ability of an attacker to execute any command they choose on a targeted device.

Artificial Intelligence - AI

The simulation of human intelligence in machines that are programmed to think like humans and mimic their actions.

Attack Surface

The aggregate of the different points where hackers could try to enter data or extract data from an environment. It applies to software, networks and humans, representing the sum of an organisation’s security risk exposure to hackers and internal users.

Attack Vector

The means in which an attacker can gain access to a computer, network, or server in order to deliver a payload or achieve a malicious outcome. These attack vectors enable hackers to exploit system vulnerabilities, including any human elements.


The act of confirming the truth of a single piece of data that a user claims is true. There are three primary categories of factors that can be used for user authentication: something the user knows (e.g. password, PIN or security question), something the user owns (e.g. ID card, mobile phone or hardware token) and something the user is (e.g. fingerprints).

Both user location and time of access are now also considered authentication factors.

Authentication can be split into categories depending on the number of factors used in the authentication process: single-factor, two-factor, and multi-factor (please see separate entries below for further details).


One of the three pillars of cybersecurity; designed to ensure that systems are up and running, accessible, and not overloaded. Availability of services are usually targeted by DoS/DDoS attacks.


A backdoor is a method of bypassing normal authentication on a device. They are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.


The process of making a copy of data in an archive which can be used to reconstruct the original data in the event of a loss, corruption or disaster.


A characteristic of the human body that can be used to identify you, such as your fingerprint, facial structure, or irises.


We're now using the term 'deny list' instead of 'blacklist'. The National Cyber Security Centre (NCSC) have written a blog that helps to explain this change.


An interconnected network of computers (bots) infected with malware without the user's knowledge and controlled by cybercriminals.

Typically used to send spam emails, transmit malware and engage in other acts of cybercrime that a single machine would not be able to undertake.

Bring Your Own Device - BYOD

A company policy that permits, encourages, or mandates employees to access an organisation’s systems and data using their personal devices for work-related activities. This is quite common for remote workers.

Brute-force Attack

A brute-force attack consists of an attacker systematically checking all possible passwords/passphrases in the hope of eventually guessing correctly.

Buffer Overflow

A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold.

Since buffers are created to contain a defined amount of data, the extra data can overwrite data values in memory addresses adjacent to the destination buffer unless the program includes sufficient bounds checking to flag or discard data when too much is sent to a memory buffer.

This enables an attacker to access data stored in memory by pushing extra data into the stack, causing it to overflow.


A hardware or software component that stores data so that future requests for data can be served faster.

CIA Triad

The central focal point in cybersecurity; the maintenance of Confidentiality, Integrity and Availability.

Cipher text

The resulting output from running plain text through an encryption algorithm. This output cannot be understood if intercepted, and can only be decrypted if you have the correct decryption key.


Servers that are accessed over the internet, enabling users to access the same files and applications from almost any device because computing and storage takes place on an external data centre server rather than locally on a device.

Code Injection

An attack that introduces malicious code into a software application and then executes the code when the application is opened. Examples include SQL injection, which can compromise or modify information in a database, and cross-site scripting (XSS) which can allow hackers to hijack user accounts or display fraudulent content.

Command and Control - C2

When tools are used to communicate with and control an infected machine or network.

Common Vulnerabilities and Exposures - CVE

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.

Common Vulnerability Scoring System - CVSS

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.


One of the three pillars of cybersecurity; designed to keep sensitive information private and secure. This can be through password-protecting files, or implementing correct access controls, among other methods.


Text files containing small pieces of data, like your username and password that are used to identify your computer when you use a network. They can be used for session management, personalisation, or tracking.

Under GDPR many websites are now required to ask your permission to use anything other than the necessary cookies needed for the service to run correctly.

Credential Harvesting

Collecting legitimate users’ usernames and passwords to gain access to target systems, for malicious purposes.

Cross Site Request Forgery

An attack that uses unauthorised commands from trusted users in order to perform malicious actions on a targeted website.

Cross Site Scripting - XSS

Malicious instructions (script) are injected into otherwise innocent and trusted web sites, allowing the attacker to modify the web page to suit the attacker's objectives. For example extracting data, bypassing other security controls or delivering malicious code for the browser to execute on the user’s computer.


A cryptocurrency (AKA crypto-currency) is a digital asset that is designed to act as an exchange medium. They use cryptography to verify and secure transactions, control the creation of new assets and protect the identity of asset holders. Popular cryptocurrencies include:

  • Bitcoin
  • Ethereum
  • Monero


Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it.

Modern cryptography is the central mechanism for achieving the following four security objectives:

  • confidentiality
  • integrity
  • non-repudiation
  • authentication


Deliberate exploitation of information systems to cause harm.


An event, whether intentional or not, that causes adverse consequences to an information system or its data.

Cyber Security

Protecting people and their computers, networks, programs and data from unauthorised access, exploitation, or modification.

Dark Web

A collection of thousands of websites which are not indexed by conventional search engines. They often use anonymity tools, like the Tor network, to hide their IP address and preserve the anonymity of the creators and visitors.

The anonymity (also known as the dark net) provided can be used for both good and bad causes, including protecting communications made by subjects of oppressive regimes or protecting the identity of criminals.  

Data Breach

When data is moved, accessed, or disclosed without authorisation. This can be accidental, like being sent an email that was not intended for you, or the consequence of a more serious cyber event like a ransomware attack.


The process of transforming encrypted data back into a state in which it is usable by the system.

Deep Fake

Refers to videos and images that have the faces swapped or digitally altered with the help of AI.

Deep Learning

An AI method that teaches computers to process data in a way that is inspired by the human brain. It is a common sub-field of machine learning.

Denial-of-service - DoS

An attack where an attempt is made to flood a network, server or website with so much data to make it unusable.

Technically, DoS refers to an attack involving a single source which can easily be blocked. However, DoS is often used to describe all denial-of-service attacks including DDoS and other attacks which affect availability.

Deny List

A deny list, known in some places as a blacklist, refers to a list of untrusted resources or destinations that a user or application may not access.

Digital Footprint

The traces of digital information that online activity leaves behind about a person. Examples include the websites you visit, emails you send and receive, and information you submit online.

Digital Signature

An encrypted, electronic, stamp of authentication applied to digital information, confirming that the information has originated from the person who signed it. If the digital signature received does not match the one transmitted it can be assumed that the information has been altered.

Distributed Denial-of-Service - DDoS

A coordinated attack in which a botnet of multiple connected machines (usually infected with malware or otherwise compromised to co-opt them into the attack) flood a network, server or website with so much data to make it unusable. As multiple sources are involved this attack is much harder to block.

DNS Reflection

A Denial of Service (DoS) attack where an adversary sends a malicious Domain Name Service (DNS) request to a DNS server that fools the server into responding instead to the victim of the attack. The origin of the attack is concealed from the victim.

DNS Server

A Domain Name Service (DNS) Server translates a domain name (which is easy for humans to remember such as into its corresponding IP address used by computers to route the traffic to the correct destination. Both public (open) and private DNS servers can be implemented.


A tool used to download and install another payload on a target system. Typically used as the first stage for an infection.


A download which a user is not aware of or has not consented to. Commonly used to refer to malware downloaded from compromised legitimate websites.


A method to scramble a message, file or other data and turn it into a secret code using an algorithm (complex mathematical formula). The code can only be read using a key or other piece of information (such as a password) which can decrypt the code.

Endpoint Protection

Technologies, software and strategies for securing devices such as laptops, mobile phones, tablets, workstations and servers that connect to a network. The devices are known as endpoints.


Unauthorised transferal or copying of data from a system. It is also referred to as data theft or extraction.


A security system that monitors and controls traffic between an internal network (trusted to be secure) and an external network (not trusted). It is generally considered insufficient against modern cyber threats.

General Data Protection Regulation - GDPR

The General Data Protection Regulation (GDPR) 2016/679 is a European Union regulation covering data protection and individual privacy rights. It was introduced in April 2018 and enforced on 25th May 2018.

Generative AI

Services like ChatGPT and DALL-E are now widely available and can produce different types of content, such as audio, text, images, and synthetic data.


A hacker is a computer and networking attacker who systematically attempts to penetrate a computer system or network using tools and attack methodologies to find and exploit security vulnerabilities.

Security professionals called penetration testers use the same tools and techniques as hackers to identify vulnerabilities so they can be remediated before they are exploited by hackers.


Despite the absence of ‘cyber’ in their title, these hacker activists deserve a mention in our glossary. Hacktivists are computer hackers that have aligned themselves with a specific protest organisation or group of activists. Their activities can be similar to those of cyber terrorists or cyber-saboteurs.


The product of passing an arbitrary amount of data through a cryptographic hashing function. Hashes typically have a fixed length and are unique to the original data. Common hashing functions include:

  • MD5 - 128-bit hash value - 32 character string
  • SHA1 - 160-bit hash value - 40 character string
  • SHA256 - 256-bit hash value - 64 character string


A legitimate looking, decoy system or network set up to attract potential attackers. Once attackers are in, they can be tracked and have their behaviour assessed for clues that will help keep the real network secure.

Hypertext Transfer Protocol - HTTP

The Hypertext Transfer Protocol is a client-server application-layer protocol for distributed information systems and is the basic protocol used by the internet.

Data sent between a client and server over HTTP is not encrypted and could be intercepted and tampered with by a man-in-the-middle attacker.

Hypertext Transfer Protocol Secure - HTTPS

HTTPS, is an extension for HTTP for secure communications. HTTPS use transport layer security to authenticate and encrypt HTTP traffic.


Manages the creation and execution of virtual machines on a host computer system.

Incident Response Plan

A policy outlying an organisation’s response to an information security incident. The document is formally approved by a senior leadership team, and details the procedures, steps, and responsibilities of the organisation.

Indicators of Compromise - IoC

Pieces of forensic data which indicate computer or network compromise that can assist in identifying potentially malicious activity on a system or network.

Threats such as a specific variant or malware have specific IoCs which can be used to identify the variant of malware you are infected with. For example, certain files are created or altered in a certain way and perhaps within a specific location, an IP address may be contacted.

Information Security

The preservation, confidentiality, integrity and availability of information; other properties such as authenticity, accountability and non-repudiation may be involved.


One of the three pillars of cybersecurity; designed to ensure the correctness of data. If data is corrupted or altered it becomes useless, making data integrity attacks just as serious as data exfiltration.

Internet-of-things - IoT

The network of devices and objects that can connect to the Internet. This includes devices such as smartphones, tablets, laptops and servers, but also is starting to extend to transport, buildings and household items like doorbells, thermostats, lightbulbs and toys.

In a healthcare setting this can also include examples such as patient monitoring and asset tracking. This represents a major security challenge as any device can potentially be a target or conduit for an attack and remediation will be difficult to implement.

Internet Service Provider (ISP)

An Internet Service Provider is a company that provides a service allowing business or personal users to access the internet.

IP address

An IP address (Internet Protocol Address) is a label assigned to computer devices.

An IP address is essential for Internet Protocol communication.

IP addresses can be represented as an IPv4 address (example: or an IPv6 address (example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334).

Key Generators

Key generators, often referred to as keygens, are tools designed to generate legitimate software activation keys. 


Keylogging, also known as keystroke logging or keyboard capture, is the action of recording, often secretly, the keys struck on a keyboard. An application used to perform keylogging is called a keylogger.

Keyloggers are typically used to gain access to sensitive information or credentials, and are most commonly seen in spyware or banking trojans.

Large Language Models - LLMs

A type of AI algorithm that uses deep learning techniques an large datasets to understand, summarise, generate and predict new content.

Living-off-the-land Attack - LotL

An attack where cybercriminals use native, legitimate tools already within the victim’s system, as a way to sustain and advance the attack. The does not require files, meaning it does not require the attacker to install any code or scripts on the victim’s device.

Local Area Network - LAN

A collection of network-connected devices that are all located within a specific location, such as an office or home, hence them being “local” to each other.

MAC Address

A media access control (MAC, IEEE 802) address is a unique identifier assigned to a device's network interface controller. Typically stored in some form or read-only memory, MAC addresses are also known as hardware or physical addresses.

Machine Learning

A growing field concerned with designing and developing artificial intelligence algorithms, for automated knowledge discovery and innovation.


Malvertising is the act of inserting malicious advertisements into otherwise legitimate web pages or advertising networks.


Malware is  malicious or hostile software used to disrupt, damage or compromise a computer system or network. It is often embedded in non-malicious files or programs and often includes:

  • computer viruses
  • worms
  • ransomware
  • spyware

Malware usually consists of a downloader which downloads a payload (from a command and control server) that contains the malicious code which attacks a target.

Malware-as-a-Service - MaaS

Authors of malicious software selling malware as a cloud-based service, similar to the wider legitimate IT industry.

For example, users can purchase spam campaigns from email botnets, rent ransomware kits and offer a portion of the payments to the operators or buy tailored information from a banking trojan. 

Man-in-the-Middle - MitM

An attack method where the attacker is able to intercept messages passing between two victims and inject new ones without the victims being aware. Encryption tools can defend against an attack.

Memory Allocation

The process of reserving virtual or physical computer space for specific purposes. This is part of the management of computer memory resources, known as memory management.


Miners, also known as cryptocurrency miners or cryptominers, are a form of malware that uses the resources of an infected device to generate units of a cryptocurrency.

MITRE ATT&CK Framework

A globally-accessible knowledge base for adversary tools, techniques and procedures, based on real-world observations, commonly used for attack attribution.

Multi-factor Authentication (MFA)

An authentication process that uses at least two forms of identification, for example, some payments may require a bankcard, a PIN, and a fingerprint. MFA is considered the strongest form of authentication.  See Single-factor (1FA) and Two-factor Authentication (2FA) for comparison.


Used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key, like a digital signature.


Obscuring the intended meaning of communications by making a message difficult to understand. When used in code, syntax is made overly complicated, in the hopes of confusing the reader so they cannot determine what the code is trying to do.

Patches and Patch Management

Patch management covers acquiring, testing and installing multiple patches (manufacturer released code changes) to a computer system or application. Firmware and software vendors release patches to fix defects, change functionality and to address known security vulnerabilities.

Penetration Testing

Also known as 'pen testing'; The process of testing a computer system, network, or web application to find vulnerabilities that an attacker could exploit. The attack, simulated by cyber security experts, helps identify where the system needs strengthening going forward.


Phishing is a type of fraud in which the attacker attempts to steal sensitive data such as passwords or credit card numbers, via social engineering. Phishing can be performed via:

  • email
  • phone calls
  • instant messaging
  • other communication channels

Plain Text

Clear, understandable information that has not been encrypted. This information can be processed and understood by unauthenticated users.


A pop-up or pop-over is a form of online advertising that creates a new browser window. This new browser window appears in front of the current browser window.

Pop-ups can be created through clicking on a link or automatically by the web site.

Privilege Escalation

Privilege escalation exploits a bug, design flaw or misconfiguration in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

An application with more privileges than intended by the developer or system administrator can perform unauthorised actions.

Proof of Concept - PoC

A proof of concept demonstrates how a system can be protected or compromised without building a complete working model.

Proxy Server

An intermediary server that retrieves data from an internet source, like a webpage, on behalf of a user. They act as an additional security layer protecting users from malicious internet activity.

Quick Response Codes - QR

A type of machine-readable barcode, consisting of an array of black and white squares. They are typically used for storing URLs or other information, which can be scanned using a smartphone camera, which then redirects you to the contained link.


A form of phishing attack that uses QR codes instead of text-based links in emails, digital platforms, or on physical items.


A type of malware that prevents access to the target’s computer system or data until a ransom is paid to the attacker.

Different variants of ransomware can encrypt files, full disks or system configurations to prevent access and hold the user to ransom until a decryption key is paid for (usually by Bitcoin).

Anti-malware suppliers work to publish decryption tools. It is not recommended to pay any ransom demands and organisations should implement backup and recovery strategies to enable recovery from ransomware. 

Remote Access Trojan - RAT

Software that allows a remote user to control a system. It can also be referred to as a remote administration tool.

Legitimate implementations are common but RAT software can also be used for malicious activity. The malicious RAT software is typically installed by a trojan without the victim's knowledge and will try to hide its operation from the victim and from security software.

Remote Code Execution - RCE

The ability to execute arbitrary commands issued from one device on another device. It is typically used to refer to execution over a wide-area network, such as the internet.


The ability of an organisation to manage cybersecurity incidents, recover from failure or damage and keep running continuously despite growing threats.

Rogue Wireless Device

Unauthorised hardware that is connected to or near an organisation’s wireless network. The device can be used to gain access to sensitive data, send it back to an adversary or connect other devices to a network.


Software used by cyber criminals to gain control over a target computer or network without an authenticated user knowing. They are designed to stay hidden and undetected on your computer or network.


The process of passing a variable into a cryptographic algorithm to help improve the degree of randomness, in turn increasing security.


Running code in a safe, isolated environment on a network that mimics end-use operating environments. This is designed to prevent threats from getting onto the network and is frequently used to inspect untrusted or untested code.

Secure Shell - SSH

Secure Shell, also known as SSH, is a cryptographic network protocol used to securely run network services over insecure connections, typically using TCP port 22. 

Security Breach

A security incident that results in unauthorised access to data, applications, services, networks and/or devices by bypassing underlying security mechanisms.

A security breach could affect the elements of the CIA Triad.

Security Information and Event Management - SIEM

In the field of information security, SIEM is used to provide real-time analysis of security events and alerts generated by network hardware, operating system and applications.

SIEM solutions are generally used to consolidate logs from multiple ICT assets and syslog servers into one system. Anomalies and security events/alerts can be detected across an ICT estate in real time, which can then be investigated and responded to by security analysts.

Server Message Block - SMB

Server Message Block (SMB, also known as Common Internet File System, CIFS) is an application-layer networking protocol used for sharing access to files, devices or other miscellaneous communications between nodes on a network over TCP ports 139 and 445. It is primarily used by the Windows operating system, with several open-source implementations such as Samba available for other operating systems.

Single-factor Authentication (1FA)

An authentication process that uses a single form of identification, such as a contactless payment that requires a bankcard. 1FA is the weakest form of authentication.  More secure processes are Two-factor (2FA) and Multi-factor Authentication (MFA).


A type of phishing attack that uses SMS messages (or other types instead of mobile messaging such as MMS or IM services) instead of email messages.

Social Engineering

An attack method that tricks people into breaking normal security procedures by masquerading as a reputable entity or person in email, IM or other communication channels.

Social engineers try to trick victims into disclosing sensitive information or by allowing or doing something which compromises security, such as allowing physical access to a secure area or a user executing a malicious executable at the social engineers request.


The programs used by a computer, as well as other information that it relies on to operate.


Unwanted and unsolicited bulk email. The email messages may be commercial by nature but can also contain disguised links that appear to be for familiar websites but lead to phishing websites or sites that are hosting malware.

Spam email may also include malware as scripts or other executable file attachments.

Spear Phishing

Spear phishing is a type of fraud whereby a phishing attempt is targeted against specific individuals or organisations. Attackers attempts to steal sensitive data such as passwords or credit card numbers, via social engineering. Attackers may gather personal information about their target to increase their probability of success. It is often used as part of reconnaissance activity by a hacker.

Spear phishing can be performed via email, phone calls, IM or other communication channels.


An attacker or program successfully masquerades as another by falsifying data for malicious reasons. Spoofing an email address to fool a recipients or an attacker spoofing their IP or hardware (mac) address in a man-in-the-middle attack are well known attack examples.


Software that gathers information about a person or organisation without their knowledge. The information may be sent to a remote destination and is usually used for malicious purposes.

Stack Overflow

A type of buffer overflow that occurs when a computer program tries to use more memory space in the call stack that has been allocated to that stack.


The practice of concealing a file, message, image, or video within another file, message, image, or video.


The potential cause of an incident that could result in harm to systems and the organisation. Threats lead to the compromise of security.

Threat Actors

Individuals or groups of people which express or pose a threat to your organisation, including hackers and internal employees (such as disgruntled, unskilled or overworked employees).

Threat Detection

Methods for identifying system vulnerabilities and hacking behaviours. These can include a number of software and hardware technologies, such as machine learning, statistical modelling and network and web monitoring.

Tor - The Onion Router

Open-source network software that disguises a user’s identity and location by encrypting data and routing traffic around an intercontinental network of servers run by volunteers. Often used by sites on the dark web, among others.

Traffic Light Protocol - TLP

A set of designated colours (Red, Amber, Green and White) used for categorising the sensitivity level of information, and the audience it can be shared with.

  • Red – Highly Confidential. Not for disclosure. Restricted to participants only.
  • Amber – Sensitive. Limited disclosure. Restricted to organisation participants and their clients only.
  • Green – For increasing awareness. Limited disclosure. Restricted to the relevant community only.
  • White – Public. Disclosure not limited.


Named after the Trojan horse from Greek mythology, a Trojan is a type of malware that is often disguised as legitimate software, which tricks a user into installing it. Trojans usually have a payload of other malware and some open a backdoor that allows an attacker access to the victim's machine.

Two-factor Authentication (2FA)

An authentication process that uses two different forms of identification, such as a larger payment might require a bankcard and a PIN. This is a more secure authentication process than Single-factor authentication.  Compare with Multi-factor Authentication that uses at least two factors.

Virtual Private Network - VPN

A VPN is a method of hosting a private network across public infrastructure or the internet. End-to-end encryption and additional security measures are implemented to protect the traffic.


A malware that can make changes, corrupt or delete data on a computer. A virus needs user interaction to trigger it.


A vulnerability is a weakness which allows an attacker to compromise security (integrity, confidentiality or availability).

Vulnerability Scanner

Software program that automatically finds, assesses and reports vulnerabilities and weaknesses in a computer system, network or application. This is a popular form of threat detection.


A wiper is a software tool used to erase information on computer hard drives.

Wireless Area Network - WLAN

A LAN that uses radio transmission in place of copper or fibre cables. Wireless LANs provide versatility and are simpler and less expensive to set up than cabled networks, but are slower and more susceptible to security attacks.


A type of malware that is standalone and spreads to other machines by replicating itself. The replication rapidly consumes storage and creates performance issues. Worms are triggered without user interaction and are capable of targeted attacks. Worms can be used to distribute and drop other malware such as ransomware.

Zero-day Attack

Attacks that exploit a vulnerability in software that is unknown to the vendor and has no remediation available. This type of threat is particularly difficult to detect and defend against. The name refers to a vendor or organisation having no time to fix the vulnerability prior to attack. Can also be written as '0-day attack'.


The business concept that computer users only have access to the bare minimum required to do their job efficiently. This can be to software, data, or physical locations, increasing security within an organisation by not allowing someone to have access to something they do not need.


This page was last updated 03/05/2024.