Like every industry or sector, cybersecurity and vulnerability management have their own language – an often-confusing mix of acronyms, initialisms, jargon and idioms that acts as a shorthand for those in the know but which can be bewildering to navigate and interpret for anyone not working within the sector. Below, we lay out some of the more common terminology that you may encounter and explain both the meaning of each, as well as its relevance to protecting your technical estate from cybersecurity threats.
An exploit is a repeatable technique that has been established by an attacker to take advantage of a discovered vulnerability and use it to breach the security of a network or information system. It can consist of either executable code or simply a sequence of steps that can be carried out manually. An exploit is a “blueprint” or masterplan, in that it is not an instance of an attack, but the process or method of carrying it out.
A vulnerability is a weakness in a system or hardware that can be exploited by a malicious actor that can compromise the confidentiality, availability, and integrity of data that is stored. It is either an inherent characteristic or specific weakness that renders either the system itself or any data that it stores, processes, or has access to, open to exploitation by a given threat, or susceptible to a given hazard. They can be either permanent or transient, and occur through flaws, features or user error. A commonly seen taxonomy defines four primary vulnerability types as being Network, OS (Operating System), Human and Process. The first two types relate primarily to software or configuration flaws and might be what we initially think of in relation to vulnerabilities, but human error and lack of suitable process or policy can also constitute vulnerabilities.
An attack is an executed instance of an exploit – that is the instantiation of a known exploit method that is being used actively to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity.
Any condition, event, or set of circumstances with the potential to impact security. Also known as hazards. Can relate both to vulnerabilities and weaknesses but also to accidents, faults, failures, and misuse or abuse.
An individual, group, organisation, or government that conducts or has the intent to conduct detrimental activities due to a combination of both having access to one or more documented exploits, as well as the power or willingness to use these exploits in an active attack. Threat actors may be either internal or external to an organisation.
A specific method used by a threat agent to exploit a vulnerability, usually framed in terms of the access required to do so along with the relative position from which the attack is possible. For example, a successful exploit of an LDAP vulnerability may require privileged internal network access in order to exploit it if an organisation’s LDAP server is firewalled from external or guest network access. Minimising possible attack vectors is one reason why the principle of least privilege is a key principle within cyber security and a reason to minimise the attack surface of hosted systems.
The set of ways in which an adversary can enter a system and potentially cause damage. Generally defined in terms of the set of points on the boundary of the system or environment that an attacker can try to enter, such as IP address space, open ports, and listening services. In general, the more services a system is running (especially non-essential services) the less hardened it is said to be and the larger its attack surface, and hence the higher its risk of exploit. Various tools such as the CIS Benchmarks exist to provide both evaluation of a system’s current attack surface as well as guidance on hardening those systems by reducing their attack surface to improve their security.
The degree or magnitude of harm to an organisation that can result from the consequences of a successful execution of an exploit on a given system. Is sometimes further defined in terms of individual impact on the three different components or concerns of information security – the availability of the system, as well as the confidentiality and integrity of the data that it stores, processes or transmits.
A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an unauthorized individual. Data breaches may involve many kinds of information including financial records; credit card details; or corporate intellectual property.
Any measure that is introduced by an organisation to manage or modify a risk, including administrative measures (policies and procedures) as well as technical solutions.
An official register of security flaws found in specific software and publicly disclosed (generally after the release of a fix/patch from the vendor). Used to provide unambiguous reference to specific vulnerabilities. For example, “CVE-2022-22690” relates to a Password Reset weakness in Umbraco CMS product at versions 9.2.0 and lower.
A taxonomy of IDs (e.g., “CWE-1222”) that is used for categorising and identifying common reasons for software flaws that may be introduced due to failures in any stage of the software development lifecycle from planning through to implementation and maintenance. Unlike CVEs (which apply to specific systems/codebases), CWEs are abstract and independent of their origin or system that they are present within and may be instantiated thousands of times in products from various vendors – for example “failure to check input data” (CWE-20) is a CWE code, but it may be instantiated/found in many codebases. Is used to provide general best-practice guidance on how to detect, mitigate or prevent individual instances.
A system used for providing standardisation for the classification of vulnerabilities, by rating their attributes such as severity or impact, the attack vector or network position required to exploit them, as well as the availability of existing exploits or complexity of developing exploits against them. The individual metrics are input into a standardised mathematical formula to provide a CVSS “score” on a scale of 0-10, allowing different vulnerabilities to be “ranked” or compared, to judge their overall risk and hence steer prioritisation on remediation. Incorporates a system for the “base” score to be adjusted based on temporal factors (those that change over time) such as the availability of a fix as well as environmental factors (the impact of the vulnerability on a given system given its data sensitivity or system criticality).
A “network of robots” – a collection of computers that belong to other users or organisations but have been compromised by an attacker using malicious code such that the attacker can both maintain ongoing access to them and also cause them to execute commands or actions on request, using instructions issued across the network or internet using a “C&C” (command and control) coordination tool. Typically used to act as slaves or zombies in coordinated attacks in the future, often without their legitimate owners even being aware of the machine being compromised and subverted. Botnets are often used to carry out Distributed Denial of Service (DDoS) attacks.
A form of denial of service (DoS) attack in which the impact or magnitude of an attack is increased by having it originate from many usually dispersed network origins or points. Such attacks can originate from subverted “zombie” computers of a botnet, with all origins flooding the target server, service or network with a significant amount of Internet traffic. A successful attack results in services for the victim being denied, either through an excessive consumption of resources often leading to the target service being inoperable for all users.
An intruder (or teams of intruders) that has a sophisticated level of expertise and significant resources (including time) allowing them to commit significant time, effort, and skill to attacking a system or organisation via multiple attack vectors and typically without detection. Rather than seek to immediately exploit vulnerabilities on a single system that is compromised, an APT will typically seek to “play the long game”, establishing a foothold on the compromised system and extending their access throughout the target organisation’s infrastructure to deliver on long-term and pre-defined objectives.
The act of an attacker who has managed to gain a foothold in an organisation or network on a single compromised host using that host as a “pivot point” from which to gain access to one or more additional systems. Since the compromised host is within the network perimeter, it is generally in a greater position of trust from a network perspective and may have access to more systems and on a wider range of ports and services, than to an attacker located wholly outside the network perimeter. Pivoting is fundamental to the success of advanced persistent threat (APT) attacks in which an attack grows their presence on a network from a single vulnerability up to and including full control of all systems.
Fingerprinting (also known as foot-printing) is the art of gathering information on a system or network in order to identify network services, operating system number and version, software applications, databases, configurations and more on a target network. Attackers can gather this information by sending TCP or ICMP packets and analysing responses from the systems – often attackers can then use this information gathered to target active attacks with greater precision by identifying systems with probable vulnerabilities based on their running services.
Computers that are operated by organisations that are intentionally left vulnerable to attack by attackers or malicious software. They are set up so that they appear to be running important production services, but in fact, do not contain production services or data and are monitored carefully in order to identify potential attackers targeting the organisation, as well as evaluate their location, resources and techniques, so that they can be more easily defended against.
Refers to a classification of threat actor that attempt to subvert the security of systems or networks in an unauthorised manner (without consent). The term is used in contrast to “white hat” or “ethical security hacker”, which may relate to a person with a similar skill set, but who is involved in authorised attempts to find vulnerabilities, such as contracted penetration testing, “red team” activities, bug bounty programmes or “hacker clubs”.
Blue teams are an authorised group employed or contracted by an organisation to defend the organisation’s systems and infrastructure from cyber-attacks. They are contrasted against so-called “red teams” that conduct real or simulated attacks. Blue teams analyse systems to ensure security, identify flaws and verify the effectiveness of an organisations security, providing recommendations to increase security readiness as well as deploying and monitoring these controls.
Domestic or industrial devices with specific and narrow purpose that embed electronics, sensors and software into a single network typically to collect and transmit data via the Internet. This includes many domestic devices with embedded operating systems such as CCTV cameras, smartwatches, speakers, doorbells, alarm clocks, baby monitors, and even some fridges and toys. They are often less robustly secured or hardened than dedicated server systems and have traditionally been susceptible to relatively simple and naive cyber-attacks.
The phases of a cyberattack (as well as the suitable controls against each phase by a defending organisation) as defined in an abstract model: from early reconnaissance through delivery and exploitation through to command and control and the delivery on objectives such as a goal of data exfiltration or data destruction.
Is the exploitation of a bug, misconfiguration, or flaw that allows for an attacking party to gain a privilege within a software application or operating system than what would normally be permitted. For example, a standard user gaining administrative privileges on a system.
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a remote computer system that they are not authorised to access via normal channels. It is a general term, and the causes are diverse but are often related to dynamic code execution vulnerabilities, in which a system is tricked into handling data inputs that contain special control or break characters that cause it to execute the data as executable code rather than being treated as passively handled data.
Spoofing is an act of masquerading as a valid entity through falsification of data (such as an IP address or username), in order to gain access to information or resources that one is otherwise unauthorized to obtain.
A zero-day attack or zero-day exploit is an attack that exploits a previously undiscovered flaw in an application or operating system. The term zero-day refers to the number of days that a vendor has had to resolve the exploit.
A method of accessing a system that is protected by a shared secret (such as a password or cryptographic key) by submitting all possible combinations until the valid one is found, and access granted. Relies on weaknesses such as lack of rate-limiting on attempts or a cap on maximum attempts permitted. A dictionary attack is maybe the most basic form in terms of password brute-forcing, in which automated software tries thousands, if not millions, of randomly generated passwords to break password security.
Is an automated technique used during black box software testing to discover potential bugs and attack points within a piece of software or operating system. Fuzzing usually involves sending large amounts of random data to a target in the hopes of causing a crash. This can reveal flaws and defects deep within a code base that would otherwise not be found through conventional testing.
A back-door is typically an undocumented and unofficial way of gaining access to a computer system and is generally a potential security risk. It can come about through either being added by developers or system administrators – either for their own ongoing use or as a “temporary” measure during development that they then forget to remove – or else deliberately placed on a system by an attacker who has compromised it. This ensures their ongoing access if the original vulnerability that they used to compromise the system is remediated.
If you would like to learn more, you can find an exhaustive glossary of terms maintained by NIST at https://csrc.nist.gov/glossary
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please get in contact with us: firstname.lastname@example.org
No software to download or install.
Contact us or call us 0113 887 8380